Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
| Dependency | CPE | GAV | Highest Severity | CVE Count | CPE Confidence | Evidence Count |
|---|---|---|---|---|---|---|
| antlr-2.7.6.jar | antlr:antlr:2.7.6 ✓ | 0 | 14 | |||
| aopalliance-1.0.jar | aopalliance:aopalliance:1.0 ✓ | 0 | 16 | |||
| xercesImpl-2.9.1.jar | xerces:xercesImpl:2.9.1 ✓ | 0 | 47 | |||
| asm-attrs-1.5.3.jar | asm:asm-attrs:1.5.3 ✓ | 0 | 21 | |||
| asm-1.5.3.jar | asm:asm:1.5.3 ✓ | 0 | 20 | |||
| aspectjrt-1.5.3.jar | aspectj:aspectjrt:1.5.3 ✓ | 0 | 19 | |||
| aspectjweaver-1.5.3.jar | aspectj:aspectjweaver:1.5.3 ✓ | 0 | 20 | |||
| avalon-framework-impl-4.2.0.jar | avalon-framework:avalon-framework-impl:4.2.0 ✓ | 0 | 20 | |||
| backport-util-concurrent-3.1.jar | backport-util-concurrent:backport-util-concurrent:3.1 ✓ | 0 | 20 | |||
| bcmail-jdk14-138.jar | bouncycastle:bcmail-jdk14:138 ✓ | 0 | 21 | |||
| bcprov-jdk14-138.jar |
cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.38
cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.38 |
bouncycastle:bcprov-jdk14:138 ✓ | Medium | 1 | LOW | 21 |
| c3p0-0.9.1.1.jar | c3p0:c3p0:0.9.1.1 ✓ | 0 | 21 | |||
| cglib-2.1_3.jar | cglib:cglib:2.1_3 ✓ | 0 | 16 | |||
| xmpcore-5.1.2.jar | com.adobe.xmp:xmpcore:5.1.2 ✓ | 0 | 24 | |||
| jcommander-1.35.jar | com.beust:jcommander:1.35 ✓ | 0 | 17 | |||
| hppc-0.7.1.jar | com.carrotsearch:hppc:0.7.1 ✓ | 0 | 17 | |||
| metadata-extractor-2.8.0.jar | cpe:/a:id:id-software:2.8.0 | com.drewnoakes:metadata-extractor:2.8.0 ✓ | 0 | LOW | 17 | |
| jackson-annotations-2.5.4.jar | cpe:/a:fasterxml:jackson:2.5.4 | com.fasterxml.jackson.core:jackson-annotations:2.5.4 ✓ | 0 | LOW | 28 | |
| jackson-core-2.6.1.jar | cpe:/a:fasterxml:jackson:2.6.1 | com.fasterxml.jackson.core:jackson-core:2.6.1 ✓ | 0 | LOW | 28 | |
| jackson-databind-2.5.4.jar | cpe:/a:fasterxml:jackson:2.5.4 | com.fasterxml.jackson.core:jackson-databind:2.5.4 ✓ | 0 | LOW | 28 | |
| jackson-dataformat-smile-2.5.4.jar | cpe:/a:fasterxml:jackson:2.5.4 | com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.5.4 ✓ | 0 | LOW | 28 | |
| caffeine-2.4.0.jar | com.github.ben-manes.caffeine:caffeine:2.4.0 ✓ | 0 | 21 | |||
| junrar-0.7.jar | com.github.junrar:junrar:0.7 ✓ | 0 | 15 | |||
| curvesapi-1.03.jar | com.github.virtuald:curvesapi:1.03 ✓ | 0 | 16 | |||
| jsr305-1.3.9.jar | com.google.code.findbugs:jsr305:1.3.9 ✓ | 0 | 16 | |||
| gson-2.2.4.jar | com.google.code.gson:gson:2.2.4 ✓ | 0 | 24 | |||
| error_prone_annotations-2.0.18.jar | com.google.errorprone:error_prone_annotations:2.0.18 ✓ | 0 | 17 | |||
| guava-23.0.jar | com.google.guava:guava:23.0 ✓ | 0 | 20 | |||
| j2objc-annotations-1.1.jar | com.google.j2objc:j2objc-annotations:1.1 | 0 | 14 | |||
| protobuf-java-3.1.0.jar | com.google.protobuf:protobuf-java:3.1.0 ✓ | 0 | 20 | |||
| core-3.2.1.jar | com.google.zxing:core:3.2.1 ✓ | 0 | 17 | |||
| concurrentlinkedhashmap-lru-1.0.jar | com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:1.0 ✓ | 0 | 16 | |||
| ez-vcard-0.9.10.jar | com.googlecode.ez-vcard:ez-vcard:0.9.10 ✓ | 0 | 18 | |||
| json-simple-1.1.1.jar | com.googlecode.json-simple:json-simple:1.1.1 ✓ | 0 | 17 | |||
| juniversalchardet-1.0.3.jar | com.googlecode.juniversalchardet:juniversalchardet:1.0.3 ✓ | 0 | 17 | |||
| libphonenumber-8.6.0.jar | com.googlecode.libphonenumber:libphonenumber:8.6.0 ✓ | 0 | 19 | |||
| isoparser-1.0.2.jar | cpe:/a:boxes_project:boxes:1.0.2 | com.googlecode.mp4parser:isoparser:1.0.2 ✓ | 0 | LOW | 17 | |
| owasp-java-html-sanitizer-20160628.1.jar | cpe:/a:owasp-java-html-sanitizer_project:owasp-java-html-sanitizer:20160628.1 | com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20160628.1 ✓ | 0 | LOW | 16 | |
| jackcess-encrypt-2.1.1.jar | com.healthmarketscience.jackcess:jackcess-encrypt:2.1.1 ✓ | 0 | 20 | |||
| jackcess-2.1.2.jar | com.healthmarketscience.jackcess:jackcess:2.1.2 ✓ | 0 | 20 | |||
| icu4j-57.1.jar | com.ibm.icu:icu4j:57.1 ✓ | 0 | 27 | |||
| itext-2.1.7.jar | com.lowagie:itext:2.1.7 ✓ | 0 | 17 | |||
| java-libpst-0.8.1.jar | com.pff:java-libpst:0.8.1 ✓ | 0 | 15 | |||
| rome-utils-1.5.1.jar | com.rometools:rome-utils:1.5.1 ✓ | 0 | 18 | |||
| rome-1.5.1.jar | com.rometools:rome:1.5.1 ✓ | 0 | 20 | |||
| javax.mail-1.5.1.jar | cpe:/a:mail_project:mail:1.5.1 | com.sun.mail:javax.mail:1.5.1 ✓ | Medium | 1 | LOW | 28 |
| com.springsource.com.sun.syndication-0.9.0.jar | com.sun.syndication:com.springsource.com.sun.syndication:0.9.0 | 0 | 17 | |||
| jaxb-impl-2.1.9.jar | com.sun.xml.bind:jaxb-impl:2.1.9 ✓ | 0 | 23 | |||
| t-digest-3.1.jar | com.tdunning:t-digest:3.1 ✓ | 0 | 17 | |||
| xstream-1.4.9.jar |
cpe:/a:x-stream:xstream:1.4.9
cpe:/a:xstream_project:xstream:1.4.9 |
com.thoughtworks.xstream:xstream:1.4.9 ✓ | Medium | 1 | HIGHEST | 34 |
| commons-beanutils-core-1.8.0.jar | cpe:/a:apache:commons_beanutils:1.8.0 | commons-beanutils:commons-beanutils-core:1.8.0 ✓ | High | 1 | LOW | 24 |
| commons-beanutils-1.9.2.jar | cpe:/a:apache:commons_beanutils:1.9.2 | commons-beanutils:commons-beanutils:1.9.2 ✓ | 0 | LOW | 27 | |
| commons-cli-1.3.1.jar | commons-cli:commons-cli:1.3.1 ✓ | 0 | 28 | |||
| commons-codec-1.10.jar | commons-codec:commons-codec:1.10 ✓ | 0 | 28 | |||
| commons-collections-3.2.2.jar | cpe:/a:apache:commons_collections:3.2.2 | commons-collections:commons-collections:3.2.2 ✓ | 0 | LOW | 29 | |
| commons-configuration-1.6.jar | commons-configuration:commons-configuration:1.6 ✓ | 0 | 26 | |||
| commons-digester-1.8.1.jar | commons-digester:commons-digester:1.8.1 ✓ | 0 | 26 | |||
| commons-discovery-0.5.jar | commons-discovery:commons-discovery:0.5 ✓ | 0 | 26 | |||
| commons-fileupload-1.3.2.jar | cpe:/a:apache:commons_fileupload:1.3.2 | commons-fileupload:commons-fileupload:1.3.2 ✓ | High | 1 | LOW | 29 |
| commons-httpclient-3.1.jar |
cpe:/a:apache:commons-httpclient:3.1
cpe:/a:apache:httpclient:3.1 |
commons-httpclient:commons-httpclient:3.1 ✓ | Medium | 3 | LOW | 22 |
| commons-io-2.5.jar | commons-io:commons-io:2.5 ✓ | 0 | 29 | |||
| commons-lang-2.6.jar | commons-lang:commons-lang:2.6 ✓ | 0 | 26 | |||
| commons-logging-api-1.1.jar | commons-logging:commons-logging-api:1.1 ✓ | 0 | 27 | |||
| commons-logging-1.2.jar | commons-logging:commons-logging:1.2 ✓ | 0 | 27 | |||
| commons-net-3.3.jar | commons-net:commons-net:3.3 ✓ | 0 | 27 | |||
| commons-validator-1.5.1.jar | commons-validator:commons-validator:1.5.1 ✓ | 0 | 29 | |||
| boilerpipe-1.1.0.jar | de.l3s.boilerpipe:boilerpipe:1.1.0 ✓ | 0 | 17 | |||
| juel-impl-2.2.7.jar | de.odysseus.juel:juel-impl:2.2.7 ✓ | 0 | 26 | |||
| juel-spi-2.2.7.jar | de.odysseus.juel:juel-spi:2.2.7 ✓ | 0 | 19 | |||
| dom4j-1.6.1.jar | dom4j:dom4j:1.6.1 ✓ | 0 | 23 | |||
| cdm-4.5.5.jar | edu.ucar:cdm:4.5.5 ✓ | 0 | 20 | |||
| grib-4.5.5.jar | edu.ucar:grib:4.5.5 ✓ | 0 | 20 | |||
| httpservices-4.5.5.jar | edu.ucar:httpservices:4.5.5 ✓ | 0 | 19 | |||
| jj2000-5.2.jar | edu.ucar:jj2000:5.2 ✓ | 0 | 16 | |||
| netcdf4-4.5.5.jar | edu.ucar:netcdf4:4.5.5 ✓ | 0 | 18 | |||
| udunits-4.5.5.jar | edu.ucar:udunits:4.5.5 ✓ | 0 | 20 | |||
| gmetric4j-1.0.7.jar | info.ganglia.gmetric4j:gmetric4j:1.0.7 ✓ | 0 | 18 | |||
| metrics-core-3.1.2.jar | io.dropwizard.metrics:metrics-core:3.1.2 ✓ | 0 | 20 | |||
| metrics-ganglia-3.1.2.jar | io.dropwizard.metrics:metrics-ganglia:3.1.2 ✓ | 0 | 20 | |||
| metrics-graphite-3.1.2.jar | cpe:/a:graphite_project:graphite:3.1.2 | io.dropwizard.metrics:metrics-graphite:3.1.2 ✓ | 0 | LOW | 20 | |
| metrics-jetty9-3.1.2.jar | cpe:/a:jetty:jetty:3.1.2 | io.dropwizard.metrics:metrics-jetty9:3.1.2 ✓ | 0 | LOW | 20 | |
| metrics-jvm-3.1.2.jar | io.dropwizard.metrics:metrics-jvm:3.1.2 ✓ | 0 | 20 | |||
| activation-1.1.jar | javax.activation:activation:1.1 ✓ | 0 | 22 | |||
| javax.annotation-api-1.2.jar | cpe:/a:oracle:glassfish:1.2 | javax.annotation:javax.annotation-api:1.2 ✓ | Medium | 2 | LOW | 27 |
| javax.el-api-3.0.1-b04.jar | cpe:/a:oracle:glassfish:3.0.1.b04 | javax.el:javax.el-api:3.0.1-b04 ✓ | Medium | 2 | LOW | 25 |
| jsr-275-0.9.3.jar | javax.measure:jsr-275:0.9.3 ✓ | 0 | 20 | |||
| persistence-api-1.0.jar | javax.persistence:persistence-api:1.0 ✓ | 0 | 22 | |||
| javax.servlet.jsp-api-2.3.0.jar |
cpe:/a:oracle:glassfish:2.3.0
cpe:/a:oracle:glassfish_server:2.3.0 |
javax.servlet.jsp:javax.servlet.jsp-api:2.3.0 ✓ | Medium | 3 | LOW | 25 |
| javax.servlet-api-3.1.0.jar | cpe:/a:oracle:glassfish:3.1.0 | javax.servlet:javax.servlet-api:3.1.0 ✓ | Medium | 2 | LOW | 26 |
| servlet-api-2.4.jar | javax.servlet:servlet-api:2.4 ✓ | 0 | 19 | |||
| jta-1.0.1B.jar | javax.transaction:jta:1.0.1B | 0 | 7 | |||
| javax.ws.rs-api-2.0.1.jar |
cpe:/a:restful_project:restful:2.0.1
cpe:/a:restful_web_services_project:restful_web_services:2.0.1 |
javax.ws.rs:javax.ws.rs-api:2.0.1 ✓ | 0 | LOW | 25 | |
| jsr311-api-1.1.1.jar | javax.ws.rs:jsr311-api:1.1.1 ✓ | 0 | 21 | |||
| jaxb-api-2.1.jar | javax.xml.bind:jaxb-api:2.1 | 0 | 12 | |||
| stax-api-1.0-2.jar | javax.xml.stream:stax-api:1.0-2 ✓ | 0 | 16 | |||
| xmldsig-1.0.jar | cpe:/a:jasper_project:jasper:1.0.1 | com.hynnet:jasper-xml-dsig:1.0.0 ✓ | High | 35 | LOW | 25 |
| jaxen-1.1.6.jar | jaxen:jaxen:1.1.6 ✓ | 0 | 20 | |||
| jdom-1.0.jar | com.sun.phobos:jdom:1.0 ✓ | 0 | 36 | |||
| joda-time-2.2.jar | cpe:/a:date_project:date:2.2 | joda-time:joda-time:2.2 ✓ | Low | 1 | LOW | 26 |
| junit-dep-4.10.jar | junit:junit-dep:4.10 ✓ | 0 | 17 | |||
| junit-3.8.2.jar | junit:junit:3.8.2 ✓ | 0 | 17 | |||
| junit-4.12.jar | junit:junit:4.12 ✓ | 0 | 21 | |||
| log4j-1.2.17.jar | cpe:/a:apache:log4j:1.2.17 | log4j:log4j:1.2.17 ✓ | 0 | LOW | 22 | |
| ical4j-1.0-rc3-atlassian-11.jar | net.fortuna.ical4j:ical4j:1.0-rc3-atlassian-11 | 0 | 16 | |||
| eigenbase-properties-1.1.5.jar | net.hydromatic:eigenbase-properties:1.1.5 ✓ | 0 | 21 | |||
| jna-4.1.0.jar | net.java.dev.jna:jna:4.1.0 ✓ | 0 | 26 | |||
| jna-4.1.0.jar: jnidispatch.dll | 0 | 1 | ||||
| jna-4.1.0.jar: jnidispatch.dll | 0 | 1 | ||||
| jna-4.1.0.jar: jnidispatch.dll | 0 | 1 | ||||
| jcip-annotations-1.0.jar | net.jcip:jcip-annotations:1.0 ✓ | 0 | 16 | |||
| barcode4j-fop-ext-2.1.jar | net.sf.barcode4j:barcode4j-fop-ext:2.1 ✓ | 0 | 22 | |||
| barcode4j-2.1.jar | net.sf.barcode4j:barcode4j:2.1 ✓ | 0 | 24 | |||
| ehcache-core-2.6.2.jar | net.sf.ehcache:ehcache-core:2.6.2 ✓ | 0 | 15 | |||
| ehcache-core-2.6.2.jar: sizeof-agent.jar | net.sf.ehcache:sizeof-agent:1.0.1 | 0 | 14 | |||
| ehcache-1.2.3.jar | net.sf.ehcache:ehcache:1.2.3 ✓ | 0 | 17 | |||
| jwnl-1.3.3.jar | cpe:/a:wordnet:wordnet:1.3.3 | net.sf.jwordnet:jwnl:1.3.3 ✓ | 0 | LOW | 17 | |
| jmatio-1.0.jar | net.sourceforge.jmatio:jmatio:1.0 ✓ | 0 | 16 | |||
| nekohtml-1.9.12.jar | net.sourceforge.nekohtml:nekohtml:1.9.12 ✓ | 0 | 18 | |||
| ognl-2.6.9.jar | cpe:/a:ognl_project:ognl:2.6.9 | ognl:ognl:2.6.9 ✓ | Medium | 1 | LOW | 17 |
| antlr4-runtime-4.5.1-1.jar | org.antlr:antlr4-runtime:4.5.1-1 ✓ | 0 | 24 | |||
| ant-junit-1.9.0.jar | org.apache.ant:ant-junit:1.9.0 ✓ | 0 | 23 | |||
| ant-junit-1.9.7.jar | org.apache.ant:ant-junit:1.9.7 ✓ | 0 | 23 | |||
| ant-launcher-1.9.0.jar | org.apache.ant:ant-launcher:1.9.0 ✓ | 0 | 19 | |||
| ant-launcher-1.9.7.jar | org.apache.ant:ant-launcher:1.9.7 ✓ | 0 | 19 | |||
| ant-1.9.0.jar | org.apache.ant:ant:1.9.0 ✓ | 0 | 21 | |||
| ant-1.9.7.jar | org.apache.ant:ant:1.9.7 ✓ | 0 | 21 | |||
| avalon-framework-api-4.3.1.jar | org.apache.avalon.framework:avalon-framework-api:4.3.1 ✓ | 0 | 18 | |||
| avalon-framework-impl-4.3.1.jar | org.apache.avalon.framework:avalon-framework-impl:4.3.1 ✓ | 0 | 18 | |||
| axis2-kernel-1.7.1.jar | cpe:/a:apache:axis2:1.7.1 | org.apache.axis2:axis2-kernel:1.7.1 ✓ | Medium | 2 | LOW | 22 |
| axis2-transport-http-1.7.1.jar | cpe:/a:apache:axis2:1.7.1 | org.apache.axis2:axis2-transport-http:1.7.1 ✓ | Medium | 2 | LOW | 22 |
| axis2-transport-local-1.7.1.jar | cpe:/a:apache:axis2:1.7.1 | org.apache.axis2:axis2-transport-local:1.7.1 ✓ | Medium | 2 | LOW | 20 |
| axis-1.4.jar | cpe:/a:apache:axis:1.4 | axis:axis:1.4 ✓ | Medium | 2 | HIGHEST | 19 |
| avatica-core-1.9.0.jar | org.apache.calcite.avatica:avatica-core:1.9.0 ✓ | 0 | 21 | |||
| calcite-core-1.11.0.jar | org.apache.calcite:calcite-core:1.11.0 ✓ | 0 | 22 | |||
| calcite-linq4j-1.11.0.jar | org.apache.calcite:calcite-linq4j:1.11.0 ✓ | 0 | 22 | |||
| commons-collections4-4.1.jar | cpe:/a:apache:commons_collections:4.1 | org.apache.commons:commons-collections4:4.1 ✓ | 0 | LOW | 28 | |
| commons-compress-1.10.jar | cpe:/a:apache:commons-compress:1.10 | org.apache.commons:commons-compress:1.10 ✓ | 0 | LOW | 29 | |
| commons-csv-1.1.jar | org.apache.commons:commons-csv:1.1 ✓ | 0 | 28 | |||
| commons-dbcp2-2.1.jar | org.apache.commons:commons-dbcp2:2.1 ✓ | 0 | 27 | |||
| commons-exec-1.3.jar | org.apache.commons:commons-exec:1.3 ✓ | 0 | 28 | |||
| commons-pool2-2.3.jar | org.apache.commons:commons-pool2:2.3 ✓ | 0 | 27 | |||
| commons-vfs2-2.0.jar | org.apache.commons:commons-vfs2:2.0 ✓ | 0 | 25 | |||
| curator-client-2.8.0.jar | org.apache.curator:curator-client:2.8.0 | 0 | 16 | |||
| curator-framework-2.8.0.jar | cpe:/a:apache:zookeeper:2.8.0 | org.apache.curator:curator-framework:2.8.0 | Medium | 2 | LOW | 16 |
| curator-recipes-2.8.0.jar | cpe:/a:apache:zookeeper:2.8.0 | org.apache.curator:curator-recipes:2.8.0 | Medium | 2 | LOW | 16 |
| cxf-core-3.0.3.jar | cpe:/a:apache:cxf:3.0.3 | org.apache.cxf:cxf-core:3.0.3 | High | 6 | LOW | 22 |
| cxf-rt-frontend-jaxrs-3.0.3.jar | cpe:/a:apache:cxf:3.0.3 | org.apache.cxf:cxf-rt-frontend-jaxrs:3.0.3 | High | 6 | LOW | 22 |
| cxf-rt-rs-client-3.0.3.jar | cpe:/a:apache:cxf:3.0.3 | org.apache.cxf:cxf-rt-rs-client:3.0.3 | High | 6 | LOW | 22 |
| cxf-rt-transports-http-3.0.3.jar | cpe:/a:apache:cxf:3.0.3 | org.apache.cxf:cxf-rt-transports-http:3.0.3 | High | 6 | LOW | 22 |
| derby-10.11.1.1.jar | cpe:/a:apache:derby:10.11.1.1 | org.apache.derby:derby:10.11.1.1 | Medium | 1 | HIGHEST | 11 |
| geronimo-transaction-3.1.4.jar | cpe:/a:apache:geronimo:3.1.4 | org.apache.geronimo.components:geronimo-transaction:3.1.4 | Low | 1 | LOW | 19 |
| geronimo-activation_1.1_spec-1.1.jar | org.apache.geronimo.specs:geronimo-activation_1.1_spec:1.1 | 0 | 20 | |||
| geronimo-j2ee-connector_1.6_spec-1.0.jar | org.apache.geronimo.specs:geronimo-j2ee-connector_1.6_spec:1.0 | 0 | 18 | |||
| geronimo-jaxrpc_1.1_spec-1.1.jar | org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:1.1 | 0 | 14 | |||
| geronimo-jms_1.1_spec-1.1.1.jar | org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1 | 0 | 16 | |||
| geronimo-jta_1.1_spec-1.1.1.jar | org.apache.geronimo.specs:geronimo-jta_1.1_spec:1.1.1 | 0 | 16 | |||
| geronimo-stax-api_1.0_spec-1.0.1.jar | org.apache.geronimo.specs:geronimo-stax-api_1.0_spec:1.0.1 | 0 | 16 | |||
| geronimo-ws-metadata_2.0_spec-1.1.2.jar | org.apache.geronimo.specs:geronimo-ws-metadata_2.0_spec:1.1.2 | 0 | 16 | |||
| hadoop-annotations-2.7.2.jar | cpe:/a:apache:hadoop:2.7.2 | org.apache.hadoop:hadoop-annotations:2.7.2 | Medium | 2 | HIGHEST | 15 |
| hadoop-auth-2.7.2.jar | cpe:/a:apache:hadoop:2.7.2 | org.apache.hadoop:hadoop-auth:2.7.2 | Medium | 2 | HIGHEST | 16 |
| hadoop-common-2.7.2.jar | cpe:/a:apache:hadoop:2.7.2 | org.apache.hadoop:hadoop-common:2.7.2 | Medium | 2 | HIGHEST | 14 |
| hadoop-hdfs-2.7.2.jar | cpe:/a:apache:hadoop:2.7.2 | org.apache.hadoop:hadoop-hdfs:2.7.2 | Medium | 2 | HIGHEST | 15 |
| htrace-core-3.2.0-incubating.jar | cpe:/a:fasterxml:jackson:3.2.0 | org.apache.htrace:htrace-core:3.2.0-incubating | 0 | LOW | 15 | |
| httpclient-cache-4.4.1.jar | cpe:/a:apache:httpclient:4.4.1 | org.apache.httpcomponents:httpclient-cache:4.4.1 | 0 | LOW | 21 | |
| httpclient-4.4.1.jar | cpe:/a:apache:httpclient:4.4.1 | org.apache.httpcomponents:httpclient:4.4.1 | 0 | LOW | 21 | |
| httpcore-4.4.1.jar | org.apache.httpcomponents:httpcore:4.4.1 | 0 | 21 | |||
| httpmime-4.4.1.jar | cpe:/a:apache:httpclient:4.4.1 | org.apache.httpcomponents:httpmime:4.4.1 | 0 | LOW | 21 | |
| apache-mime4j-core-0.7.2.jar | cpe:/a:apache:james:0.7.2 | org.apache.james:apache-mime4j-core:0.7.2 | 0 | LOW | 22 | |
| apache-mime4j-dom-0.7.2.jar | cpe:/a:apache:james:0.7.2 | org.apache.james:apache-mime4j-dom:0.7.2 | 0 | LOW | 23 | |
| log4j-1.2-api-2.6.2.jar | cpe:/a:apache:log4j:2.6.2 | org.apache.logging.log4j:log4j-1.2-api:2.6.2 | High | 1 | HIGHEST | 23 |
| log4j-api-2.6.2.jar | cpe:/a:apache:log4j:2.6.2 | org.apache.logging.log4j:log4j-api:2.6.2 | High | 1 | HIGHEST | 24 |
| log4j-core-2.6.2.jar | cpe:/a:apache:log4j:2.6.2 | org.apache.logging.log4j:log4j-core:2.6.2 | High | 1 | HIGHEST | 24 |
| log4j-jul-2.6.2.jar | cpe:/a:apache:log4j:2.6.2 | org.apache.logging.log4j:log4j-jul:2.6.2 | High | 1 | HIGHEST | 24 |
| log4j-slf4j-impl-2.6.2.jar | cpe:/a:apache:log4j:2.6.2 | org.apache.logging.log4j:log4j-slf4j-impl:2.6.2 | High | 1 | HIGHEST | 24 |
| lucene-analyzers-common-6.5.1.jar | org.apache.lucene:lucene-analyzers-common:6.5.1 | 0 | 14 | |||
| lucene-analyzers-kuromoji-6.5.1.jar | org.apache.lucene:lucene-analyzers-kuromoji:6.5.1 | 0 | 15 | |||
| lucene-analyzers-phonetic-6.5.1.jar | org.apache.lucene:lucene-analyzers-phonetic:6.5.1 | 0 | 15 | |||
| lucene-backward-codecs-6.5.1.jar | org.apache.lucene:lucene-backward-codecs:6.5.1 | 0 | 15 | |||
| lucene-classification-6.5.1.jar | org.apache.lucene:lucene-classification:6.5.1 | 0 | 14 | |||
| lucene-codecs-6.5.1.jar | org.apache.lucene:lucene-codecs:6.5.1 | 0 | 14 | |||
| lucene-core-6.5.1.jar | org.apache.lucene:lucene-core:6.5.1 | 0 | 13 | |||
| lucene-expressions-6.5.1.jar | org.apache.lucene:lucene-expressions:6.5.1 | 0 | 15 | |||
| lucene-grouping-6.5.1.jar | org.apache.lucene:lucene-grouping:6.5.1 | 0 | 15 | |||
| lucene-highlighter-6.5.1.jar | org.apache.lucene:lucene-highlighter:6.5.1 | 0 | 14 | |||
| lucene-join-6.5.1.jar | org.apache.lucene:lucene-join:6.5.1 | 0 | 15 | |||
| lucene-memory-6.5.1.jar | org.apache.lucene:lucene-memory:6.5.1 | 0 | 15 | |||
| lucene-misc-6.5.1.jar | org.apache.lucene:lucene-misc:6.5.1 | 0 | 13 | |||
| lucene-queries-6.5.1.jar | org.apache.lucene:lucene-queries:6.5.1 | 0 | 15 | |||
| lucene-queryparser-6.5.1.jar | org.apache.lucene:lucene-queryparser:6.5.1 | 0 | 15 | |||
| lucene-sandbox-6.5.1.jar | org.apache.lucene:lucene-sandbox:6.5.1 | 0 | 13 | |||
| lucene-spatial-extras-6.5.1.jar | org.apache.lucene:lucene-spatial-extras:6.5.1 | 0 | 15 | |||
| lucene-suggest-6.5.1.jar | org.apache.lucene:lucene-suggest:6.5.1 | 0 | 15 | |||
| maven-scm-api-1.4.jar | org.apache.maven.scm:maven-scm-api:1.4 | 0 | 18 | |||
| maven-scm-provider-svn-commons-1.4.jar | org.apache.maven.scm:maven-scm-provider-svn-commons:1.4 | 0 | 18 | |||
| maven-scm-provider-svnexe-1.4.jar | org.apache.maven.scm:maven-scm-provider-svnexe:1.4 | 0 | 18 | |||
| neethi-3.0.3.jar | cpe:/a:apache:apache_test:3.0.3 | org.apache.neethi:neethi:3.0.3 | 0 | LOW | 25 | |
| opennlp-maxent-3.0.3.jar | org.apache.opennlp:opennlp-maxent:3.0.3 | 0 | 15 | |||
| opennlp-tools-1.5.3.jar | org.apache.opennlp:opennlp-tools:1.5.3 | 0 | 22 | |||
| fontbox-1.8.10.jar | cpe:/a:font_project:font:1.8.10 | org.apache.pdfbox:fontbox:1.8.10 | Medium | 1 | LOW | 23 |
| jempbox-1.8.10.jar | cpe:/a:apache:pdfbox:1.8.10 | org.apache.pdfbox:jempbox:1.8.10 | High | 1 | HIGHEST | 22 |
| pdfbox-1.8.10.jar | cpe:/a:apache:pdfbox:1.8.10 | org.apache.pdfbox:pdfbox:1.8.10 | High | 1 | HIGHEST | 22 |
| poi-excelant-3.14.jar | cpe:/a:apache:poi:3.14 | org.apache.poi:poi-excelant:3.14 | High | 1 | HIGHEST | 15 |
| poi-ooxml-schemas-3.14.jar | cpe:/a:apache:poi:3.14 | org.apache.poi:poi-ooxml-schemas:3.14 | High | 1 | HIGHEST | 14 |
| poi-ooxml-3.14.jar | cpe:/a:apache:poi:3.14 | org.apache.poi:poi-ooxml:3.14 | High | 1 | HIGHEST | 14 |
| poi-scratchpad-3.14.jar | cpe:/a:apache:poi:3.14 | org.apache.poi:poi-scratchpad:3.14 | High | 1 | HIGHEST | 13 |
| poi-3.14.jar | cpe:/a:apache:poi:3.14 | org.apache.poi:poi:3.14 | High | 1 | HIGHEST | 13 |
| xmlsec-1.4.3.jar | cpe:/a:xmlsec_project:xmlsec:1.4.3 | org.apache.santuario:xmlsec:1.4.3 | 0 | LOW | 11 | |
| shiro-core-1.3.0.jar | cpe:/a:apache:shiro:1.3.0 | org.apache.shiro:shiro-core:1.3.0 | 0 | LOW | 21 | |
| sis-metadata-0.5.jar | org.apache.sis.core:sis-metadata:0.5 | 0 | 20 | |||
| sis-referencing-0.5.jar | org.apache.sis.core:sis-referencing:0.5 | 0 | 20 | |||
| sis-utility-0.5.jar | org.apache.sis.core:sis-utility:0.5 | 0 | 19 | |||
| sis-netcdf-0.5.jar | org.apache.sis.storage:sis-netcdf:0.5 | 0 | 21 | |||
| sis-storage-0.5.jar | org.apache.sis.storage:sis-storage:0.5 | 0 | 21 | |||
| solr-core-6.5.1.jar | cpe:/a:apache:solr:6.5.1 | org.apache.solr:solr-core:6.5.1 | Medium | 1 | HIGHEST | 13 |
| solr-solrj-6.5.1.jar | cpe:/a:apache:solr:6.5.1 | org.apache.solr:solr-solrj:6.5.1 | Medium | 1 | HIGHEST | 15 |
| tika-core-1.12.jar | cpe:/a:apache:tika:1.12 | org.apache.tika:tika-core:1.12 | High | 1 | LOW | 25 |
| tika-parsers-1.12.jar | cpe:/a:apache:tika:1.12 | org.apache.tika:tika-parsers:1.12 | High | 1 | LOW | 24 |
| tomcat-embed-core-8.0.39.jar |
cpe:/a:apache:tomcat:8.0.39
cpe:/a:apache_software_foundation:tomcat:8.0.39 |
org.apache.tomcat.embed:tomcat-embed-core:8.0.39 | Medium | 6 | HIGHEST | 11 |
| tomcat-embed-websocket-8.0.39.jar |
cpe:/a:apache:tomcat:8.0.39
cpe:/a:apache_software_foundation:tomcat:8.0.39 |
org.apache.tomcat.embed:tomcat-embed-websocket:8.0.39 | Medium | 6 | HIGHEST | 13 |
| tomcat-annotations-api-8.5.16.jar |
cpe:/a:apache:tomcat:3.0
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-annotations-api:8.5.16 | High | 35 | MEDIUM | 11 |
| tomcat-api-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-api:8.5.16 | High | 3 | LOW | 12 |
| tomcat-catalina-ha-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-catalina-ha:8.5.16 | High | 3 | LOW | 13 |
| tomcat-catalina-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-catalina:8.5.16 | High | 3 | LOW | 12 |
| tomcat-coyote-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-coyote:8.5.16 | High | 3 | LOW | 13 |
| tomcat-el-api-8.5.16.jar |
cpe:/a:apache:tomcat:3.0
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-el-api:8.5.16 | High | 35 | MEDIUM | 11 |
| tomcat-jasper-el-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-jasper-el:8.5.16 | High | 3 | LOW | 13 |
| tomcat-jasper-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-jasper:8.5.16 | High | 3 | LOW | 13 |
| tomcat-jaspic-api-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-jaspic-api:8.5.16 | High | 3 | LOW | 13 |
| tomcat-jni-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-jni:8.5.16 | High | 3 | LOW | 13 |
| tomcat-jsp-api-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-jsp-api:8.5.16 | High | 3 | LOW | 12 |
| tomcat-juli-8.5.16.jar | cpe:/a:apache_software_foundation:tomcat:8.5.16 | org.apache.tomcat:tomcat-juli:8.5.16 | 0 | LOW | 12 | |
| tomcat-servlet-api-8.5.16.jar |
cpe:/a:apache:tomcat:3.1
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-servlet-api:8.5.16 | High | 36 | MEDIUM | 11 |
| tomcat-tribes-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-tribes:8.5.16 | High | 3 | LOW | 13 |
| tomcat-util-scan-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-util-scan:8.5.16 | High | 3 | LOW | 14 |
| tomcat-util-8.5.16.jar |
cpe:/a:apache:tomcat:8.5.16
cpe:/a:apache_software_foundation:tomcat:8.5.16 |
org.apache.tomcat:tomcat-util:8.5.16 | High | 3 | LOW | 13 |
| woden-core-1.0M10.jar | org.apache.woden:woden-core:1.0M10 | 0 | 21 | |||
| axiom-api-1.2.17.jar | org.apache.ws.commons.axiom:axiom-api:1.2.17 | 0 | 24 | |||
| axiom-impl-1.2.17.jar | org.apache.ws.commons.axiom:axiom-impl:1.2.17 | 0 | 14 | |||
| ws-commons-util-1.0.2.jar | org.apache.ws.commons.util:ws-commons-util:1.0.2 | 0 | 17 | |||
| xmlschema-core-2.2.1.jar | org.apache.ws.xmlschema:xmlschema-core:2.2.1 | 0 | 19 | |||
| xmlbeans-2.6.0.jar | org.apache.xmlbeans:xmlbeans:2.6.0 | 0 | 11 | |||
| batik-anim-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-anim:1.8 | High | 1 | HIGHEST | 12 |
| batik-awt-util-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-awt-util:1.8 | High | 1 | HIGHEST | 12 |
| batik-bridge-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-bridge:1.8 | High | 1 | HIGHEST | 11 |
| batik-css-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-css:1.8 | High | 1 | HIGHEST | 12 |
| batik-dom-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-dom:1.8 | High | 1 | HIGHEST | 11 |
| batik-ext-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-ext:1.8 | High | 1 | HIGHEST | 11 |
| batik-extension-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-extension:1.8 | High | 1 | HIGHEST | 12 |
| batik-gvt-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-gvt:1.8 | High | 1 | HIGHEST | 11 |
| batik-parser-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-parser:1.8 | High | 1 | HIGHEST | 11 |
| batik-script-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-script:1.8 | High | 1 | HIGHEST | 11 |
| batik-svg-dom-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-svg-dom:1.8 | High | 1 | HIGHEST | 12 |
| batik-svggen-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-svggen:1.8 | High | 1 | HIGHEST | 11 |
| batik-transcoder-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-transcoder:1.8 | High | 1 | HIGHEST | 11 |
| batik-util-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-util:1.8 | High | 1 | HIGHEST | 11 |
| batik-xml-1.8.jar | cpe:/a:apache:batik:1.8 | org.apache.xmlgraphics:batik-xml:1.8 | High | 1 | HIGHEST | 11 |
| fop-2.1.jar | org.apache.xmlgraphics:fop:2.1 | 0 | 12 | |||
| xmlgraphics-commons-2.1.jar | org.apache.xmlgraphics:xmlgraphics-commons:2.1 | 0 | 10 | |||
| xmlrpc-client-3.1.2.jar | org.apache.xmlrpc:xmlrpc-client:3.1.2 | 0 | 17 | |||
| xmlrpc-common-3.1.2.jar | org.apache.xmlrpc:xmlrpc-common:3.1.2 | 0 | 17 | |||
| xmlrpc-server-3.1.2.jar | org.apache.xmlrpc:xmlrpc-server:3.1.2 | 0 | 17 | |||
| zookeeper-3.4.6.jar | cpe:/a:apache:zookeeper:3.4.6 | org.apache.zookeeper:zookeeper:3.4.6 | Medium | 2 | LOW | 16 |
| aspectjrt-1.8.0.jar | org.aspectj:aspectjrt:1.8.0 | 0 | 12 | |||
| bsh-core-2.0b4.jar | cpe:/a:beanshell_project:beanshell:2.0.b4 | org.beanshell:bsh-core:2.0b4 | Medium | 1 | LOW | 10 |
| bcmail-jdk15on-1.52.jar | cpe:/a:mail_project:mail:1.52 | org.bouncycastle:bcmail-jdk15on:1.52 | Medium | 1 | LOW | 22 |
| bcpkix-jdk15on-1.52.jar | org.bouncycastle:bcpkix-jdk15on:1.52 | 0 | 20 | |||
| bcprov-jdk15on-1.52.jar | org.bouncycastle:bcprov-jdk15on:1.52 | 0 | 20 | |||
| bctsp-jdk14-1.38.jar | org.bouncycastle:bctsp-jdk14:1.38 | 0 | 12 | |||
| tagsoup-1.2.1.jar | org.ccil.cowan.tagsoup:tagsoup:1.2.1 | 0 | 9 | |||
| batik-all-1.8pre-r1084380.jar | cpe:/a:apache:batik:1.8pre | org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380 | 0 | LOW | 11 | |
| groovy-all-2.4.12.jar | cpe:/a:apache:groovy:2.4.12 | org.codehaus.groovy:groovy-all:2.4.12 | Medium | 1 | LOW | 17 |
| jackson-core-asl-1.9.13.jar | cpe:/a:fasterxml:jackson:1.9.13 | org.codehaus.jackson:jackson-core-asl:1.9.13 | 0 | LOW | 15 | |
| jackson-mapper-asl-1.9.13.jar | cpe:/a:fasterxml:jackson:1.9.13 | org.codehaus.jackson:jackson-mapper-asl:1.9.13 | 0 | LOW | 14 | |
| commons-compiler-2.7.6.jar | cpe:/a:super_project:super:2.7.6 | org.codehaus.janino:commons-compiler:2.7.6 | 0 | LOW | 13 | |
| janino-2.7.6.jar | cpe:/a:super_project:super:2.7.6 | org.codehaus.janino:janino:2.7.6 | 0 | LOW | 13 | |
| animal-sniffer-annotations-1.14.jar | org.codehaus.mojo:animal-sniffer-annotations:1.14 | 0 | 15 | |||
| plexus-utils-1.5.6.jar | org.codehaus.plexus:plexus-utils:1.5.6 | 0 | 8 | |||
| stax2-api-3.1.4.jar | org.codehaus.woodstox:stax2-api:3.1.4 | 0 | 17 | |||
| woodstox-core-asl-4.4.1.jar | org.codehaus.woodstox:woodstox-core-asl:4.4.1 | 0 | 15 | |||
| jhighlight-1.0.2.jar | org.codelibs:jhighlight:1.0.2 | 0 | 14 | |||
| com.lowagie.text-2.1.7.jar | org.eclipse.birt.runtime.3_7_1:com.lowagie.text:2.1.7 | 0 | 12 | |||
| javax.wsdl-1.5.1.jar | org.eclipse.birt.runtime.3_7_1:javax.wsdl:1.5.1 | 0 | 17 | |||
| org.apache.batik.bridge-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.bridge:1.6.0 | High | 2 | LOW | 13 |
| org.apache.batik.css-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.css:1.6.0 | High | 2 | LOW | 14 |
| org.apache.batik.dom.svg-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.dom.svg:1.6.0 | High | 2 | LOW | 14 |
| org.apache.batik.dom-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.dom:1.6.0 | High | 2 | LOW | 13 |
| org.apache.batik.ext.awt-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.ext.awt:1.6.0 | High | 2 | LOW | 14 |
| org.apache.batik.parser-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.parser:1.6.0 | High | 2 | LOW | 13 |
| org.apache.batik.svggen-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.svggen:1.6.0 | High | 2 | LOW | 13 |
| org.apache.batik.transcoder-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.transcoder:1.6.0 | High | 2 | LOW | 13 |
| org.apache.batik.util.gui-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.util.gui:1.6.0 | High | 2 | LOW | 13 |
| org.apache.batik.util-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.util:1.6.0 | High | 2 | LOW | 13 |
| org.apache.batik.xml-1.6.0.jar | cpe:/a:apache:batik:1.6.0 | org.eclipse.birt.runtime.3_7_1:org.apache.batik.xml:1.6.0 | High | 2 | LOW | 13 |
| org.apache.commons.codec-1.3.0.jar | org.eclipse.birt.runtime.3_7_1:org.apache.commons.codec:1.3.0 | 0 | 12 | |||
| org.apache.xerces-2.9.0.jar | org.eclipse.birt.runtime.3_7_1:org.apache.xerces:2.9.0 | 0 | 12 | |||
| org.apache.xml.resolver-1.2.0.jar | org.eclipse.birt.runtime.3_7_1:org.apache.xml.resolver:1.2.0 | 0 | 12 | |||
| org.apache.xml.serializer-2.7.1.jar | org.eclipse.birt.runtime.3_7_1:org.apache.xml.serializer:2.7.1 | 0 | 12 | |||
| org.mozilla.javascript-1.7.2.jar | org.eclipse.birt.runtime.3_7_1:org.mozilla.javascript:1.7.2 | 0 | 11 | |||
| org.w3c.css.sac-1.3.0.jar | org.eclipse.birt.runtime.3_7_1:org.w3c.css.sac:1.3.0 | 0 | 12 | |||
| org.w3c.dom.smil-1.0.0.jar | org.eclipse.birt.runtime.3_7_1:org.w3c.dom.smil:1.0.0 | 0 | 13 | |||
| org.w3c.dom.svg-1.1.0.jar | org.eclipse.birt.runtime.3_7_1:org.w3c.dom.svg:1.1.0 | 0 | 13 | |||
| Tidy-1.jar | org.eclipse.birt.runtime.3_7_1:Tidy:1 | 0 | 7 | |||
| com.ibm.icu-50.1.1.v201304230130.jar | org.eclipse.birt.runtime:com.ibm.icu:50.1.1.v201304230130 | 0 | 13 | |||
| javax.xml.stream-1.0.1.v201004272200.jar | org.eclipse.birt.runtime:javax.xml.stream:1.0.1.v201004272200 | 0 | 12 | |||
| org.eclipse.birt.runtime-4.4.1.jar | cpe:/a:eclipse:birt:4.4.1 | org.eclipse.birt.runtime:org.eclipse.birt.runtime:4.4.1 | 0 | LOW | 11 | |
| org.eclipse.core.contenttype-3.4.200.v20130326-1255.jar | org.eclipse.birt.runtime:org.eclipse.core.contenttype:3.4.200.v20130326-1255 | 0 | 14 | |||
| org.eclipse.core.expressions-3.4.500.v20130515-1343.jar | org.eclipse.birt.runtime:org.eclipse.core.expressions:3.4.500.v20130515-1343 | 0 | 14 | |||
| org.eclipse.core.filesystem-1.4.0.v20130514-1240.jar | org.eclipse.birt.runtime:org.eclipse.core.filesystem:1.4.0.v20130514-1240 | 0 | 14 | |||
| org.eclipse.core.jobs-3.6.0.v20140424-0053.jar | org.eclipse.birt.runtime:org.eclipse.core.jobs:3.6.0.v20140424-0053 | 0 | 14 | |||
| org.eclipse.core.resources-3.9.1.v20140825-1431.jar | org.eclipse.birt.runtime:org.eclipse.core.resources:3.9.1.v20140825-1431 | 0 | 14 | |||
| org.eclipse.core.resources-3.9.1.v20140825-1431.jar: resources-ant.jar | 0 | 5 | ||||
| org.eclipse.core.runtime-3.9.0.v20130326-1255.jar | org.eclipse.birt.runtime:org.eclipse.core.runtime:3.9.0.v20130326-1255 | 0 | 13 | |||
| org.eclipse.datatools.connectivity.apache.derby.dbdefinition-1.0.2.v201107221459.jar | cpe:/a:apache:derby:1.0.2.v20110722 | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.apache.derby.dbdefinition:1.0.2.v201107221459 | Medium | 2 | LOW | 8 |
| org.eclipse.datatools.connectivity.apache.derby-1.0.103.v201212070447.jar | cpe:/a:apache:derby:1.0.103.v20121207 | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.apache.derby:1.0.103.v201212070447 | Medium | 2 | LOW | 14 |
| org.eclipse.datatools.connectivity.console.profile-1.0.10.v201109250955.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.console.profile:1.0.10.v201109250955 | 0 | 14 | |||
| org.eclipse.datatools.connectivity.db.generic-1.0.1.v201107221459.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.db.generic:1.0.1.v201107221459 | 0 | 14 | |||
| org.eclipse.datatools.connectivity.dbdefinition.genericJDBC-1.0.1.v201107221459.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.dbdefinition.genericJDBC:1.0.1.v201107221459 | 0 | 8 | |||
| org.eclipse.datatools.connectivity.oda.consumer-3.2.6.v201305170644.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.oda.consumer:3.2.6.v201305170644 | 0 | 14 | |||
| org.eclipse.datatools.connectivity.oda.design-3.3.6.v201212070447.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.oda.design:3.3.6.v201212070447 | 0 | 14 | |||
| org.eclipse.datatools.connectivity.oda.flatfile-3.1.8.v201403010906.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.oda.flatfile:3.1.8.v201403010906 | 0 | 14 | |||
| org.eclipse.datatools.connectivity.oda.profile-3.2.9.v201403131814.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.oda.profile:3.2.9.v201403131814 | 0 | 14 | |||
| org.eclipse.datatools.connectivity.oda-3.4.3.v201405301249.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.oda:3.4.3.v201405301249 | 0 | 14 | |||
| org.eclipse.datatools.connectivity.sqm.core-1.2.8.v201401230755.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity.sqm.core:1.2.8.v201401230755 | 0 | 14 | |||
| org.eclipse.datatools.connectivity-1.2.11.v201401230755.jar | org.eclipse.birt.runtime:org.eclipse.datatools.connectivity:1.2.11.v201401230755 | 0 | 13 | |||
| org.eclipse.datatools.enablement.hsqldb.dbdefinition-1.0.0.v201107221502.jar | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.hsqldb.dbdefinition:1.0.0.v201107221502 | 0 | 8 | |||
| org.eclipse.datatools.enablement.hsqldb-1.0.0.v201107221502.jar | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.hsqldb:1.0.0.v201107221502 | 0 | 14 | |||
| org.eclipse.datatools.enablement.ibm.db2.luw.dbdefinition-1.0.4.v201107221502.jar | cpe:/a:ibm:db2:1.0.4.v20110722 | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.ibm.db2.luw.dbdefinition:1.0.4.v201107221502 | High | 23 | LOW | 8 |
| org.eclipse.datatools.enablement.ibm.db2.luw-1.0.2.v201107221502.jar | cpe:/a:ibm:db2:1.0.2.v20110722 | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.ibm.db2.luw:1.0.2.v201107221502 | High | 23 | LOW | 14 |
| org.eclipse.datatools.enablement.ibm.informix.dbdefinition-1.0.4.v201107221502.jar | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.ibm.informix.dbdefinition:1.0.4.v201107221502 | 0 | 8 | |||
| org.eclipse.datatools.enablement.ibm.informix-1.0.1.v201107221502.jar | cpe:/a:ibm:informix:1.0.1.v20110722 | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.ibm.informix:1.0.1.v201107221502 | 0 | LOW | 14 | |
| org.eclipse.datatools.enablement.msft.sqlserver.dbdefinition-1.0.1.v201201240505.jar | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.msft.sqlserver.dbdefinition:1.0.1.v201201240505 | 0 | 8 | |||
| org.eclipse.datatools.enablement.msft.sqlserver-1.0.2.v201212120617.jar | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.msft.sqlserver:1.0.2.v201212120617 | 0 | 14 | |||
| org.eclipse.datatools.enablement.mysql.dbdefinition-1.0.4.v201109022331.jar | cpe:/a:mysql:mysql:1.0.4.v20110902 | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.mysql.dbdefinition:1.0.4.v201109022331 | High | 25 | LOW | 8 |
| org.eclipse.datatools.enablement.mysql-1.0.4.v201212120617.jar | cpe:/a:mysql:mysql:1.0.4.v20121212 | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.mysql:1.0.4.v201212120617 | High | 25 | LOW | 14 |
| org.eclipse.datatools.enablement.oda.ws-1.2.6.v201403131825.jar | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.oda.ws:1.2.6.v201403131825 | 0 | 14 | |||
| org.eclipse.datatools.enablement.oda.xml-1.2.5.v201305031101.jar | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.oda.xml:1.2.5.v201305031101 | 0 | 14 | |||
| org.eclipse.datatools.enablement.oracle.dbdefinition-1.0.103.v201206010214.jar | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.oracle.dbdefinition:1.0.103.v201206010214 | 0 | 8 | |||
| org.eclipse.datatools.enablement.oracle-1.0.0.v201107221506.jar | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.oracle:1.0.0.v201107221506 | 0 | 14 | |||
| org.eclipse.datatools.enablement.postgresql.dbdefinition-1.0.2.v201110070445.jar | cpe:/a:postgresql:postgresql:1.0.2.v20111007 | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.postgresql.dbdefinition:1.0.2.v201110070445 | High | 20 | LOW | 8 |
| org.eclipse.datatools.enablement.postgresql-1.1.1.v201205252207.jar | cpe:/a:postgresql:postgresql:1.1.1.v20120525 | org.eclipse.birt.runtime:org.eclipse.datatools.enablement.postgresql:1.1.1.v201205252207 | High | 20 | LOW | 14 |
| org.eclipse.datatools.modelbase.dbdefinition-1.0.2.v201107221519.jar | org.eclipse.birt.runtime:org.eclipse.datatools.modelbase.dbdefinition:1.0.2.v201107221519 | 0 | 14 | |||
| org.eclipse.datatools.modelbase.derby-1.0.0.v201107221519.jar | org.eclipse.birt.runtime:org.eclipse.datatools.modelbase.derby:1.0.0.v201107221519 | 0 | 14 | |||
| org.eclipse.datatools.modelbase.sql.query-1.1.4.v201212120619.jar | org.eclipse.birt.runtime:org.eclipse.datatools.modelbase.sql.query:1.1.4.v201212120619 | 0 | 14 | |||
| org.eclipse.datatools.modelbase.sql-1.0.6.v201208230744.jar | org.eclipse.birt.runtime:org.eclipse.datatools.modelbase.sql:1.0.6.v201208230744 | 0 | 14 | |||
| org.eclipse.emf.common-2.10.1.v20140901-1043.jar | org.eclipse.birt.runtime:org.eclipse.emf.common:2.10.1.v20140901-1043 | 0 | 14 | |||
| org.eclipse.emf.ecore.change-2.10.0.v20140901-1043.jar | org.eclipse.birt.runtime:org.eclipse.emf.ecore.change:2.10.0.v20140901-1043 | 0 | 14 | |||
| org.eclipse.emf.ecore.xmi-2.10.1.v20140901-1043.jar | org.eclipse.birt.runtime:org.eclipse.emf.ecore.xmi:2.10.1.v20140901-1043 | 0 | 14 | |||
| org.eclipse.emf.ecore-2.10.1.v20140901-1043.jar | org.eclipse.birt.runtime:org.eclipse.emf.ecore:2.10.1.v20140901-1043 | 0 | 13 | |||
| org.eclipse.emf-2.6.0.v20140901-1055.jar | org.eclipse.birt.runtime:org.eclipse.emf:2.6.0.v20140901-1055 | 0 | 8 | |||
| org.eclipse.equinox.app-1.3.100.v20130327-1442.jar | org.eclipse.birt.runtime:org.eclipse.equinox.app:1.3.100.v20130327-1442 | 0 | 17 | |||
| org.eclipse.equinox.common-3.6.200.v20130402-1505.jar | org.eclipse.birt.runtime:org.eclipse.equinox.common:3.6.200.v20130402-1505 | 0 | 14 | |||
| org.eclipse.equinox.preferences-3.5.100.v20130422-1538.jar | org.eclipse.birt.runtime:org.eclipse.equinox.preferences:3.5.100.v20130422-1538 | 0 | 18 | |||
| org.eclipse.equinox.registry-3.5.400.v20140428-1507.jar | org.eclipse.birt.runtime:org.eclipse.equinox.registry:3.5.400.v20140428-1507 | 0 | 16 | |||
| org.eclipse.orbit.mongodb-2.10.1.v20130422-1135.jar | cpe:/a:mongodb:mongodb:2.10.1.v20130422 | org.eclipse.birt.runtime:org.eclipse.orbit.mongodb:2.10.1.v20130422-1135 | Low | 2 | LOW | 10 |
| org.eclipse.osgi.services-3.3.100.v20130513-1956.jar | org.eclipse.birt.runtime:org.eclipse.osgi.services:3.3.100.v20130513-1956 | 0 | 13 | |||
| org.eclipse.osgi-3.10.1.v20140909-1633.jar | org.eclipse.birt.runtime:org.eclipse.osgi:3.10.1.v20140909-1633 | 0 | 14 | |||
| org.eclipse.update.configurator-3.3.200.v20130326-1319.jar | org.eclipse.birt.runtime:org.eclipse.update.configurator:3.3.200.v20130326-1319 | 0 | 15 | |||
| viewservlets-4.5.0.jar | cpe:/a:eclipse:birt:4.5.0 | org.eclipse.birt.runtime:viewservlets:4.5.0 | 0 | LOW | 8 | |
| ecj-3.12.3.jar | org.eclipse.jdt:ecj:3.12.3 | 0 | 12 | |||
| jetty-continuation-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-continuation:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-deploy-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-deploy:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-http-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-http:9.3.14.v20161028 | Medium | 1 | LOW | 23 |
| jetty-io-9.3.14.v20161028.jar | org.eclipse.jetty:jetty-io:9.3.14.v20161028 | 0 | 23 | |||
| jetty-jmx-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-jmx:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-rewrite-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-rewrite:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-security-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-security:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-server-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-server:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-servlet-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-servlet:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-servlets-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-servlets:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-util-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-util:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-webapp-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-webapp:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| jetty-xml-9.3.14.v20161028.jar |
cpe:/a:eclipse:jetty:9.3.14.v20161028
cpe:/a:jetty:jetty:9.3.14.v20161028 |
org.eclipse.jetty:jetty-xml:9.3.14.v20161028 | Medium | 1 | LOW | 24 |
| freemarker-2.3.25-incubating.jar | org.freemarker:freemarker:2.3.25-incubating | 0 | 18 | |||
| vorbis-java-core-0.6.jar | org.gagravarr:vorbis-java-core:0.6 | 0 | 13 | |||
| vorbis-java-tika-0.6.jar | cpe:/a:apache:tika:0.6 | org.gagravarr:vorbis-java-tika:0.6 | High | 1 | LOW | 14 |
| hamcrest-all-1.3.jar | org.hamcrest:hamcrest-all:1.3 | 0 | 14 | |||
| hamcrest-core-1.1.jar | org.hamcrest:hamcrest-core:1.1 | 0 | 12 | |||
| hamcrest-core-1.3.jar | org.hamcrest:hamcrest-core:1.3 | 0 | 10 | |||
| ejb3-persistence-1.0.1.GA.jar | org.hibernate:ejb3-persistence:1.0.1.GA | 0 | 12 | |||
| hibernate-annotations-3.3.1.GA.jar | org.hibernate:hibernate-annotations:3.3.1.GA | 0 | 14 | |||
| hibernate-commons-annotations-3.0.0.ga.jar | org.hibernate:hibernate-commons-annotations:3.0.0.ga | 0 | 11 | |||
| hibernate-3.2.6.ga.jar | org.hibernate:hibernate:3.2.6.ga | 0 | 9 | |||
| inspektr-core-0.7.0.jar | org.inspektr:inspektr-core:0.7.0 | 0 | 15 | |||
| bzip2-0.9.1.jar | cpe:/a:bzip:bzip2:0.9.1 | org.itadaki:bzip2:0.9.1 | Medium | 3 | LOW | 13 |
| cas-server-core-3.3.5.jar | org.jasig.cas:cas-server-core:3.3.5 | 0 | 16 | |||
| person-directory-api-1.5.0-RC5.jar | org.jasig.service:person-directory-api:1.5.0-RC5 | 0 | 18 | |||
| person-directory-impl-1.5.0-RC5.jar | org.jasig.service:person-directory-impl:1.5.0-RC5 | 0 | 18 | |||
| com.springsource.org.jdom-1.0.0.jar | org.jdom:com.springsource.org.jdom:1.0.0 | 0 | 9 | |||
| jdom2-2.0.4.jar | org.jdom:jdom2:2.0.4 | 0 | 34 | |||
| jdom-2.0.2.jar | org.jdom:jdom:2.0.2 | 0 | 34 | |||
| json-20140107.jar | org.json:json:20140107 | 0 | 12 | |||
| jsoup-1.8.3.jar | org.jsoup:jsoup:1.8.3 | 0 | 18 | |||
| spatial4j-0.6.jar | org.locationtech.spatial4j:spatial4j:0.6 | 0 | 18 | |||
| flute-1.3.jar | org.milyn:flute:1.3 | 0 | 9 | |||
| noggit-0.6.jar | org.noggit:noggit:0.6 | 0 | 12 | |||
| geoapi-3.0.0.jar | org.opengis:geoapi:3.0.0 | 0 | 18 | |||
| opensaml-1.1b.jar | org.opensaml:opensaml:1.1b | 0 | 6 | |||
| asm-commons-5.1.jar | org.ow2.asm:asm-commons:5.1 | 0 | 15 | |||
| asm-5.1.jar | org.ow2.asm:asm:5.1 | 0 | 14 | |||
| antisamy-1.4.3.jar | cpe:/a:antisamy_project:antisamy:1.4.3 | org.owasp.antisamy:antisamy:1.4.3 | Medium | 1 | LOW | 15 |
| esapi-2.1.0.jar | cpe:/a:owasp:enterprise_security_api:2.1.0 | org.owasp.esapi:esapi:2.1.0 | Medium | 1 | HIGHEST | 19 |
| quartz-2.2.0.jar | org.quartz-scheduler:quartz:2.2.0 | 0 | 22 | |||
| org.restlet.ext.servlet-2.3.0.jar |
cpe:/a:restlet:restlet:2.3.0
cpe:/a:restlet:restlet_framework:2.3.0 |
org.restlet.jee:org.restlet.ext.servlet:2.3.0 | 0 | LOW | 9 | |
| org.restlet-2.3.0.jar |
cpe:/a:restlet:restlet:2.3.0
cpe:/a:restlet:restlet_framework:2.3.0 |
org.restlet.jee:org.restlet:2.3.0 | 0 | LOW | 7 | |
| jug-2.0.0-asl.jar | org.safehaus.jug:jug:2.0.0 | 0 | 12 | |||
| jcl-over-slf4j-1.7.7.jar | org.slf4j:jcl-over-slf4j:1.7.7 | 0 | 19 | |||
| slf4j-api-1.7.21.jar | org.slf4j:slf4j-api:1.7.21 | 0 | 19 | |||
| slf4j-api-1.7.7.jar | org.slf4j:slf4j-api:1.7.7 | 0 | 19 | |||
| spring-beans-2.5.6.jar |
cpe:/a:pivotal:spring_framework:2.5.6
cpe:/a:pivotal_software:spring_framework:2.5.6 cpe:/a:springsource:spring_framework:2.5.6 cpe:/a:vmware:springsource_spring_framework:2.5.6 |
org.springframework:spring-beans:2.5.6 | High | 8 | HIGHEST | 16 |
| spring-binding-1.0.6.jar | org.springframework:spring-binding:1.0.6 | 0 | 10 | |||
| spring-context-support-2.5.6.SEC01.jar |
cpe:/a:context_project:context:2.5.6.sec01
cpe:/a:pivotal:spring_framework:2.5.6.sec01 cpe:/a:pivotal_software:spring_framework:2.5.6.sec01 cpe:/a:springsource:spring_framework:2.5.6.sec01 cpe:/a:vmware:springsource_spring_framework:2.5.6.sec01 |
org.springframework:spring-context-support:2.5.6.SEC01 | High | 7 | LOW | 14 |
| spring-context-2.5.6.SEC01.jar |
cpe:/a:pivotal:spring_framework:2.5.6.sec01
cpe:/a:pivotal_software:spring_framework:2.5.6.sec01 cpe:/a:springsource:spring_framework:2.5.6.sec01 cpe:/a:vmware:springsource_spring_framework:2.5.6.sec01 |
org.springframework:spring-context:2.5.6.SEC01 | High | 7 | LOW | 14 |
| spring-core-4.2.3.RELEASE.jar |
cpe:/a:pivotal:spring_framework:4.2.3
cpe:/a:pivotal_software:spring_framework:4.2.3 cpe:/a:springsource:spring_framework:4.2.3 cpe:/a:vmware:springsource_spring_framework:4.2.3 |
org.springframework:spring-core:4.2.3.RELEASE | Medium | 2 | HIGHEST | 12 |
| spring-jdbc-2.5.6.SEC01.jar |
cpe:/a:pivotal:spring_framework:2.5.6.sec01
cpe:/a:pivotal_software:spring_framework:2.5.6.sec01 cpe:/a:springsource:spring_framework:2.5.6.sec01 cpe:/a:vmware:springsource_spring_framework:2.5.6.sec01 |
org.springframework:spring-jdbc:2.5.6.SEC01 | High | 7 | LOW | 15 |
| spring-orm-2.5.6.SEC01.jar |
cpe:/a:pivotal:spring_framework:2.5.6.sec01
cpe:/a:pivotal_software:spring_framework:2.5.6.sec01 cpe:/a:springsource:spring_framework:2.5.6.sec01 cpe:/a:vmware:springsource_spring_framework:2.5.6.sec01 |
org.springframework:spring-orm:2.5.6.SEC01 | High | 7 | LOW | 15 |
| spring-test-4.2.3.RELEASE.jar | org.springframework:spring-test:4.2.3.RELEASE | 0 | 10 | |||
| spring-tx-2.5.6.SEC01.jar |
cpe:/a:pivotal:spring_framework:2.5.6.sec01
cpe:/a:pivotal_software:spring_framework:2.5.6.sec01 cpe:/a:springsource:spring_framework:2.5.6.sec01 cpe:/a:vmware:springsource_spring_framework:2.5.6.sec01 |
org.springframework:spring-tx:2.5.6.SEC01 | High | 7 | LOW | 15 |
| spring-web-2.5.6.SEC01.jar |
cpe:/a:pivotal:spring_framework:2.5.6.sec01
cpe:/a:pivotal_software:spring_framework:2.5.6.sec01 cpe:/a:springsource:spring_framework:2.5.6.sec01 cpe:/a:vmware:springsource_spring_framework:2.5.6.sec01 |
org.springframework:spring-web:2.5.6.SEC01 | High | 7 | LOW | 15 |
| spring-webflow-1.0.6.jar | org.springframework:spring-webflow:1.0.6 | 0 | 10 | |||
| spring-webmvc-2.5.6.SEC01.jar |
cpe:/a:pivotal:spring_framework:2.5.6.sec01
cpe:/a:pivotal_software:spring_framework:2.5.6.sec01 cpe:/a:springsource:spring_framework:2.5.6.sec01 cpe:/a:vmware:springsource_spring_framework:2.5.6.sec01 |
org.springframework:spring-webmvc:2.5.6.SEC01 | High | 7 | LOW | 16 |
| xz-1.5.jar | cpe:/a:tukaani:xz:1.5 | org.tukaani:xz:1.5 | Medium | 1 | LOW | 13 |
| jackson-databind-java-optional-2.4.2.jar | org.zapodot:jackson-databind-java-optional:2.4.2 | 0 | 12 | |||
| oro-2.0.8.jar | oro:oro:2.0.8 | 0 | 12 | |||
| regexp-1.3.jar | regexp:regexp:1.3 | 0 | 7 | |||
| stax-api-1.0.1.jar | stax:stax-api:1.0.1 | 0 | 13 | |||
| wsdl4j-1.6.2.jar | wsdl4j:wsdl4j:1.6.2 | 0 | 13 | |||
| xalan-2.7.0.jar | cpe:/a:apache:xalan-java:2.7.0 | xalan:xalan:2.7.0 | High | 1 | HIGHEST | 25 |
| xercesImpl-2.8.1.jar | xerces:xercesImpl:2.8.1 | 0 | 46 | |||
| xml-apis-ext-1.3.04.jar | xml-apis:xml-apis-ext:1.3.04 | 0 | 19 | |||
| xml-apis-2.0.2.jar | xml-apis:xml-apis:2.0.2 | 0 | 26 | |||
| xmlpull-1.1.3.1.jar | xmlpull:xmlpull:1.1.3.1 | 0 | 7 | |||
| xom-1.2.5.jar | xom:xom:1.2.5 | 0 | 30 | |||
| xpp3_min-1.1.4c.jar | xpp3:xpp3_min:1.1.4c | 0 | 7 | |||
| htrace-core-3.2.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml | cpe:/a:fasterxml:jackson:2.4.0 | com.fasterxml.jackson.core:jackson-core:2.4.0 | 0 | LOW | 9 | |
| htrace-core-3.2.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml | cpe:/a:fasterxml:jackson:2.4.0 | com.fasterxml.jackson.core:jackson-databind:2.4.0 | 0 | LOW | 9 | |
| htrace-core-3.2.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-annotations/pom.xml | cpe:/a:fasterxml:jackson:2.4.0 | com.fasterxml.jackson.core:jackson-annotations:2.4.0 | 0 | LOW | 9 | |
| htrace-core-3.2.0-incubating.jar\META-INF/maven/commons-logging/commons-logging/pom.xml | commons-logging:commons-logging:1.1.1 | 0 | 9 | |||
| axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/om-aspects/pom.xml | org.apache.ws.commons.axiom:om-aspects:1.2.17 | 0 | 8 | |||
| axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/core-aspects/pom.xml | org.apache.ws.commons.axiom:core-aspects:1.2.17 | 0 | 7 | |||
| axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/shared-aspects/pom.xml | org.apache.ws.commons.axiom:shared-aspects:1.2.17 | 0 | 8 | |||
| axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/xml-utils/pom.xml | org.apache.ws.commons.axiom:xml-utils:1.2.17 | 0 | 6 | |||
| plexus-utils-1.5.6.jar\META-INF/maven/org.codehaus.plexus/plexus-interpolation/pom.xml | org.codehaus.plexus:plexus-interpolation:1.0 | 0 | 7 |
File Path: Z:\Gradle\caches\modules-2\files-2.1\antlr\antlr\2.7.6\cf4f67dae5df4f9932ae7810f4548ef3e14dd35e\antlr-2.7.6.jar
MD5: 97c6bb68108a3d68094eab0f67157962
SHA1: cf4f67dae5df4f9932ae7810f4548ef3e14dd35e
Referenced In Projects/Scopes:
Description: AOP Alliance
License:
Public DomainFile Path: Z:\Gradle\caches\modules-2\files-2.1\aopalliance\aopalliance\1.0\235ba8b489512805ac13a8f9ea77a1ca5ebe3e8\aopalliance-1.0.jar
Description:
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
File Path: Z:\Gradle\caches\modules-2\files-2.1\apache-xerces\xercesImpl\2.9.1\7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6\xercesImpl-2.9.1.jar
MD5: f807f86d7d9db25edbfc782aca7ca2a9
SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\asm\asm-attrs\1.5.3\911ca40cdb527969ee47dc6f782425d94a36b510\asm-attrs-1.5.3.jar
MD5: 2f222ca7499ed5bc49fe25a1182c59f7
SHA1: 911ca40cdb527969ee47dc6f782425d94a36b510
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\asm\asm\1.5.3\63a2715c39c9e97f88fe371d4441a1b3493d74f9\asm-1.5.3.jar
MD5: ea4119d1471fc3c1af6b216815bd666c
SHA1: 63a2715c39c9e97f88fe371d4441a1b3493d74f9
Referenced In Projects/Scopes:
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\aspectj\aspectjrt\1.5.3\80e9fde0223721baefb5df5f251888cc2456ed6\aspectjrt-1.5.3.jar
License:
Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\aspectj\aspectjweaver\1.5.3\4040e72d0dda6e9a03d879835cd3f70f19284c34\aspectjweaver-1.5.3.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\avalon-framework\avalon-framework-impl\4.2.0\4da1db18947eb6950abb7ad79253011b9aec0e48\avalon-framework-impl-4.2.0.jar
MD5: 5c1f8f5c8c6c043538fc4ea038c2aaf6
SHA1: 4da1db18947eb6950abb7ad79253011b9aec0e48
Referenced In Projects/Scopes:
Description: Dawid Kurzyniec's backport of JSR 166
License:
Public Domain: http://creativecommons.org/licenses/publicdomainFile Path: Z:\Gradle\caches\modules-2\files-2.1\backport-util-concurrent\backport-util-concurrent\3.1\682f7ac17fed79e92f8e87d8455192b63376347b\backport-util-concurrent-3.1.jar
Description: The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.4. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. If the S/MIME API is used, the JavaMail API and the Java activation framework will also be needed.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\bouncycastle\bcmail-jdk14\138\14ff2dfec8578f5f6838c4d6a77a86789afe5382\bcmail-jdk14-138.jar
Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.4.
License:
Bouncy Castle Licence: http://www.bouncycastle.org/licence.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\bouncycastle\bcprov-jdk14\138\de366c3243a586eb3c0e2bcde1ed9bb1bfb985ff\bcprov-jdk14-138.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Vulnerable Software & Versions: (show all)
Description:
c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources,
including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.
License:
GNU LESSER GENERAL PUBLIC LICENSE: http://www.gnu.org/licenses/lgpl.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\c3p0\c3p0\0.9.1.1\302704f30c6e7abb7a0457f7771739e03c973e80\c3p0-0.9.1.1.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\cglib\cglib\2.1_3\d3851e366b9fe8b7d8215de0f9eb980b359d8de0\cglib-2.1_3.jar
MD5: ce1dce4a5f6865fb88d4c7c2728b78ed
SHA1: d3851e366b9fe8b7d8215de0f9eb980b359d8de0
Referenced In Projects/Scopes:
Description:
The XMP Library for Java is based on the C++ XMPCore library
and the API is similar.
License:
The BSD License: http://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.adobe.xmp\xmpcore\5.1.2\55615fa2582424e38705487d1d3969af8554f637\xmpcore-5.1.2.jar
Description: A Java framework to parse command line options with annotations.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.beust\jcommander\1.35\47592e181b0bdbbeb63029e08c5e74f6803c4edd\jcommander-1.35.jar
Description: High Performance Primitive Collections.
Fundamental data structures (maps, sets, lists, stacks, queues) generated for
combinations of object and primitive types to conserve JVM memory and speed
up execution.
File Path: Z:\Gradle\caches\modules-2\files-2.1\com.carrotsearch\hppc\0.7.1\8b5057f74ea378c0150a1860874a3ebdcb713767\hppc-0.7.1.jar
MD5: 2ff89be5b49144c330190cf7137c3a26
SHA1: 8b5057f74ea378c0150a1860874a3ebdcb713767
Referenced In Projects/Scopes:
Description: Java library for extracting EXIF, IPTC, XMP, ICC and other metadata from image files.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.drewnoakes\metadata-extractor\2.8.0\c771dba842e459b704081212c66182eb351728de\metadata-extractor-2.8.0.jar
Description: Core annotations used for value types, used by Jackson data binding package.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.core\jackson-annotations\2.5.4\7a93b60f5d2d43024f34e15893552ee6defdb971\jackson-annotations-2.5.4.jar
Description: Core Jackson abstractions, basic JSON streaming API implementation
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.core\jackson-core\2.6.1\892d15011456ea3563319b27bdd612dbc89bb776\jackson-core-2.6.1.jar
Description: General data-binding functionality for Jackson: works on core streaming API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.core\jackson-databind\2.5.4\5dfa42af84584b4a862ea488da84bbbebbb06c35\jackson-databind-2.5.4.jar
Description: Support for reading and writing Smile ("binary JSON")
encoded data using Jackson abstractions (streaming API, data binding,
tree model)
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.fasterxml.jackson.dataformat\jackson-dataformat-smile\2.5.4\db0c5f1b6e16cb5f5e0505abfcd4b36f3e8bfdc6\jackson-dataformat-smile-2.5.4.jar
Description: A high performance caching library for Java 8+
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.github.ben-manes.caffeine\caffeine\2.4.0\5aa8bbb851b1ad403cc140094ba4a25998369efe\caffeine-2.4.0.jar
Description: rar decompression library in plain java
License:
UnRar License: https://raw.github.com/junrar/junrar/master/license.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.github.junrar\junrar\0.7\18cc717b85af0b12ba922abf415c2ff4716f8219\junrar-0.7.jar
Description: Implementation of various mathematical curves that define themselves over a set of control points. The API is written in Java. The curves supported are: Bezier, B-Spline, Cardinal Spline, Catmull-Rom Spline, Lagrange, Natural Cubic Spline, and NURBS.
License:
BSD License: http://opensource.org/licenses/BSD-3-ClauseFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.github.virtuald\curvesapi\1.03\6b0977602901464b056959027fdf2396050f9dd2\curvesapi-1.03.jar
Description: JSR305 Annotations for Findbugs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.google.code.findbugs\jsr305\1.3.9\40719ea6961c0cb6afaeb6a921eaa1f6afd4cfdf\jsr305-1.3.9.jar
Description: Google Gson library
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.google.code.gson\gson\2.2.4\a60a5e993c98c864010053cb901b7eab25306568\gson-2.2.4.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\com.google.errorprone\error_prone_annotations\2.0.18\5f65affce1684999e2f4024983835efc3504012e\error_prone_annotations-2.0.18.jar
MD5: 98051758c08c9b7111b3268655069432
SHA1: 5f65affce1684999e2f4024983835efc3504012e
Referenced In Projects/Scopes:
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.google.guava\guava\23.0\c947004bb13d18182be60077ade044099e4f26f1\guava-23.0.jar
Description:
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.google.j2objc\j2objc-annotations\1.1\976d8d30bebc251db406f2bdb3eb01962b5685b3\j2objc-annotations-1.1.jar
Description:
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
License:
http://www.opensource.org/licenses/bsd-license.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.google.protobuf\protobuf-java\3.1.0\e13484d9da178399d32d2d27ee21a77cfb4b7873\protobuf-java-3.1.0.jar
Description: Core barcode encoding/decoding library
File Path: Z:\Gradle\caches\modules-2\files-2.1\com.google.zxing\core\3.2.1\2287494d4f5f9f3a9a2bb6980e3f32053721b315\core-3.2.1.jar
MD5: 45e31fec1bebd17da546cf7ec329d87b
SHA1: 2287494d4f5f9f3a9a2bb6980e3f32053721b315
Referenced In Projects/Scopes:
Description:
A high performance version of java.util.LinkedHashMap for use as a software cache.
License:
Apache: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.googlecode.concurrentlinkedhashmap\concurrentlinkedhashmap-lru\1.0\db7b7a28b835db4717d4aaf31f5d4441887a6d46\concurrentlinkedhashmap-lru-1.0.jar
Description: A library that reads and writes vCards, supporting all versions of the vCard standard (2.1, 3.0, and 4.0) as well as xCard (XML-encoded vCards), hCard (HTML-encoded vCards), and jCard (JSON-encoded vCards).
License:
FreeBSD License: http://opensource.org/licenses/bsd-license.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.googlecode.ez-vcard\ez-vcard\0.9.10\1997520f849718ec99a92aa67c17e408e5cca32a\ez-vcard-0.9.10.jar
Description: A simple Java toolkit for JSON
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.googlecode.json-simple\json-simple\1.1.1\c9ad4a0850ab676c5c64461a05ca524cdfff59f1\json-simple-1.1.1.jar
Description: Java port of universalchardet
License:
Mozilla Public License 1.1 (MPL 1.1): http://www.mozilla.org/MPL/MPL-1.1.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.googlecode.juniversalchardet\juniversalchardet\1.0.3\cd49678784c46aa8789c060538e0154013bb421b\juniversalchardet-1.0.3.jar
Description: Google's common Java library for parsing, formatting, storing and validating international phone numbers. Optimized for running on smartphones.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.googlecode.libphonenumber\libphonenumber\8.6.0\6e7f8068388839c5dabc08239dbeec73ad0decd8\libphonenumber-8.6.0.jar
Description: A generic parser and writer for all ISO 14496 based files (MP4, Quicktime, DCF, PDCF, ...)
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.googlecode.mp4parser\isoparser\1.0.2\6d9a5c5814ec67178dd1d5a25bae874d4697a5b8\isoparser-1.0.2.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\com.googlecode.owasp-java-html-sanitizer\owasp-java-html-sanitizer\20160628.1\bf17ddc1f7c0b37157f59fa0d32a46e47b07efb3\owasp-java-html-sanitizer-20160628.1.jar
MD5: 2ff61c91fec416dc80c2d984bce7254d
SHA1: bf17ddc1f7c0b37157f59fa0d32a46e47b07efb3
Referenced In Projects/Scopes:
Description: An add-on to the Jackcess library for handling encryption in MS Access files.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.healthmarketscience.jackcess\jackcess-encrypt\2.1.1\effacd7133ab76ee54c0488dd952b177bfeb85a3\jackcess-encrypt-2.1.1.jar
Description: A pure Java library for reading from and writing to MS Access databases.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.healthmarketscience.jackcess\jackcess\2.1.2\b7f61fbb78919cb851868ce177d8fe626a6b4370\jackcess-2.1.2.jar
Description:
International Component for Unicode for Java (ICU4J) is a mature, widely used Java library
providing Unicode and Globalization support
License:
ICU License: http://source.icu-project.org/repos/icu/icu/trunk/LICENSEFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.ibm.icu\icu4j\57.1\198ea005f41219f038f4291f0b0e9f3259730e92\icu4j-57.1.jar
Description: iText, a free Java-PDF library
License:
Mozilla Public License: http://www.mozilla.org/MPL/MPL-1.1.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.lowagie\itext\2.1.7\892bfb3e97074a61123b3b2d7caa2db112750864\itext-2.1.7.jar
Description: A library to read PST files with java, without need for external libraries.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.pff\java-libpst\0.8.1\ad31986653dac9cb5132ea5b2999c20b4b286255\java-libpst-0.8.1.jar
Description: Utility classes for ROME projects
File Path: Z:\Gradle\caches\modules-2\files-2.1\com.rometools\rome-utils\1.5.1\3a3d6473a2f5d55fb31bf6c269af963fdea13b54\rome-utils-1.5.1.jar
MD5: ba0f0958cbbacd734b383038c3dcb0ef
SHA1: 3a3d6473a2f5d55fb31bf6c269af963fdea13b54
Referenced In Projects/Scopes:
Description: All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
(0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
a set of parsers and generators for the various flavors of feeds, as well as converters
to convert from one format to another. The parsers can give you back Java objects that
are either specific for the format you want to work with, or a generic normalized
SyndFeed object that lets you work on with the data without bothering about the
underlying format.
File Path: Z:\Gradle\caches\modules-2\files-2.1\com.rometools\rome\1.5.1\cc3489f066749bede7fc81f4e80c0d8c9534a210\rome-1.5.1.jar
MD5: 07039d4b871513942d0495311947275f
SHA1: cc3489f066749bede7fc81f4e80c0d8c9534a210
Referenced In Projects/Scopes:
Description: JavaMail API
License:
https://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.sun.mail\javax.mail\1.5.1\9724dd44f1abbba99c9858aa05fc91d53f59e7a5\javax.mail-1.5.1.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\com.sun.syndication\com.springsource.com.sun.syndication\0.9.0\2c8daab3471d3060d115cdcf4af2a88cb04744c1\com.springsource.com.sun.syndication-0.9.0.jar
MD5: 1c5121f30c06d4ec0d5c68dc5e119929
SHA1: 2c8daab3471d3060d115cdcf4af2a88cb04744c1
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\com.sun.xml.bind\jaxb-impl\2.1.9\9c137963871ba7296643806b01083e4cf1703769\jaxb-impl-2.1.9.jar
MD5: 8f7f2e5ceca330ebfeea5db52a891f8f
SHA1: 9c137963871ba7296643806b01083e4cf1703769
Referenced In Projects/Scopes:
Description: Data structure which allows accurate estimation of quantiles and related rank statistics
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.tdunning\t-digest\3.1\451ed219688aed5821a789428fd5e10426d11312\t-digest-3.1.jar
Description: XStream is a serialization library from Java objects to XML and back.
License:
http://x-stream.github.io/license.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\com.thoughtworks.xstream\xstream\1.4.9\c43f6e6bfa79b56e04a8898a923c3cf7144dd460\xstream-1.4.9.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\commons-beanutils\commons-beanutils-core\1.8.0\175dc721f87e4bc5cc0573f990e28c3cf9117508\commons-beanutils-core-1.8.0.jar
MD5: a33ba25ae637909a97a60ff1d1b38857
SHA1: 175dc721f87e4bc5cc0573f990e28c3cf9117508
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Vulnerable Software & Versions: (show all)
Description: Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-beanutils\commons-beanutils\1.9.2\7a87d845ad3a155297e8f67d9008f4c1e5656b71\commons-beanutils-1.9.2.jar
Description:
Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-cli\commons-cli\1.3.1\1303efbc4b181e5a58bf2e967dc156a3132b97c0\commons-cli-1.3.1.jar
Description:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-codec\commons-codec\1.10\4b95f4897fa13f2cd904aee711aeafc0c5295cd8\commons-codec-1.10.jar
Description: Types that extend and augment the Java Collections Framework.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-collections\commons-collections\3.2.2\8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5\commons-collections-3.2.2.jar
Description:
Tools to assist in the reading of configuration/preferences files in
various formats
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-configuration\commons-configuration\1.6\32cadde23955d7681b0d94a2715846d20b425235\commons-configuration-1.6.jar
Description:
The Digester package lets you configure an XML to Java object mapping module
which triggers certain actions called rules whenever a particular
pattern of nested XML elements is recognized.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-digester\commons-digester\1.8.1\3dec9b9c7ea9342d4dbe8c38560080d85b44a015\commons-digester-1.8.1.jar
Description: The Apache Commons Discovery component is about discovering, or finding,
implementations for pluggable interfaces.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-discovery\commons-discovery\0.5\3a8ac816bbe02d2f88523ef22cbf2c4abd71d6a8\commons-discovery-0.5.jar
Description:
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-fileupload\commons-fileupload\1.3.2\5d7491ed6ebd02b6a8d2305f8e6b7fe5dbd95f72\commons-fileupload-1.3.2.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Vulnerable Software & Versions:
Description: The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
License:
Apache License: http://www.apache.org/licenses/LICENSE-2.0File Path: Z:\Gradle\caches\modules-2\files-2.1\commons-httpclient\commons-httpclient\3.1\964cd74171f427720480efdec40a7c7f6e58426a\commons-httpclient-3.1.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Vulnerable Software & Versions: (show all)
Description:
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-io\commons-io\2.5\2852e6e05fbb95076fc091f6d1780f1f8fe35e0f\commons-io-2.5.jar
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-lang\commons-lang\2.6\ce1edb914c94ebc388f086c6827e8bdeec71ac2\commons-lang-2.6.jar
Description: Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
License:
The Apache Software License, Version 2.0: /LICENSE.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-logging\commons-logging-api\1.1\7d4cf5231d46c8524f9b9ed75bb2d1c69ab93322\commons-logging-api-1.1.jar
Description: Apache Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-logging\commons-logging\1.2\4bfc12adfe4842bf07b657f0369c4cb522955686\commons-logging-1.2.jar
Description:
Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-net\commons-net\3.3\cd0d5510908225f76c5fe5a3f1df4fa44866f81e\commons-net-3.3.jar
Description:
Apache Commons Validator provides the building blocks for both client side validation and server side data validation.
It may be used standalone or with a framework like Struts.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\commons-validator\commons-validator\1.5.1\86d05a46e8f064b300657f751b5a98c62807e2a0\commons-validator-1.5.1.jar
Description: The boilerpipe library provides algorithms to detect and remove the surplus "clutter" (boilerplate, templates) around the main textual content of a web page.
The library already provides specific strategies for common tasks (for example: news article extraction) and may also be easily extended for individual problem settings.
Extracting content is very fast (milliseconds), just needs the input document (no global or site-level information required) and is usually quite accurate.
Boilerpipe is a Java library written by Christian Kohlschütter. It is released under the Apache License 2.0.
The algorithms used by the library are based on (and extending) some concepts of the paper "Boilerplate Detection using Shallow Text Features" by Christian Kohlschütter et al., presented at WSDM 2010 -- The Third ACM International Conference on Web Search and Data Mining New York City, NY USA.
License:
Apache License 2.0File Path: Z:\Gradle\caches\modules-2\files-2.1\de.l3s.boilerpipe\boilerpipe\1.1.0\f62cb75ed52455a9e68d1d05b84c500673340eb2\boilerpipe-1.1.0.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\de.odysseus.juel\juel-impl\2.2.7\97958467acef4c2b230b72354a4eefc66628dd99\juel-impl-2.2.7.jar
MD5: c5d7a62edafb5706b6beadbbcfd8f57d
SHA1: 97958467acef4c2b230b72354a4eefc66628dd99
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\de.odysseus.juel\juel-spi\2.2.7\ca146332a93720784f24a5a24bb71c6d545133bd\juel-spi-2.2.7.jar
MD5: a4df3c8482a97ae937081b7d0ab407bb
SHA1: ca146332a93720784f24a5a24bb71c6d545133bd
Referenced In Projects/Scopes:
Description: dom4j: the flexible XML framework for Java
File Path: Z:\Gradle\caches\modules-2\files-2.1\dom4j\dom4j\1.6.1\5d3ccc056b6f056dbf0dddfdf43894b9065a8f94\dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
Referenced In Projects/Scopes:
Description:
The NetCDF-Java Library is a Java interface to NetCDF files,
as well as to many other types of scientific data formats.
File Path: Z:\Gradle\caches\modules-2\files-2.1\edu.ucar\cdm\4.5.5\af1748a3d024069cb7fd3fc2591efe806c914589\cdm-4.5.5.jar
MD5: 7770c86aabbd0ec5e12ed1f0600d5492
SHA1: af1748a3d024069cb7fd3fc2591efe806c914589
Referenced In Projects/Scopes:
Description:
Decoder for the GRIB format.
File Path: Z:\Gradle\caches\modules-2\files-2.1\edu.ucar\grib\4.5.5\cfe552910e9a8d57ce71134796abb281a74ead16\grib-4.5.5.jar
MD5: 0cb80276d8ea89cacc1d5632dbf39fe9
SHA1: cfe552910e9a8d57ce71134796abb281a74ead16
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\edu.ucar\httpservices\4.5.5\ee5f217be599e5e03f7f0e55e03f9e721a154f62\httpservices-4.5.5.jar
MD5: c5207827b8b7e6045b2af7e1e8c5b1d4
SHA1: ee5f217be599e5e03f7f0e55e03f9e721a154f62
Referenced In Projects/Scopes:
Description: Fork of jpeg2k code from https://code.google.com/p/jj2000/.
This is a dependency for support of compression in Grib2 files in netCDF-java and TDS.
We welcome bug fixes and other contributions to this code.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\edu.ucar\jj2000\5.2\b857c9bdf12fe17d8ef98218eaa39e6a0c6ff493\jj2000-5.2.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\edu.ucar\netcdf4\4.5.5\675d63ecc857c50dd50858011b670160aa30b62\netcdf4-4.5.5.jar
MD5: 5f14df469295650fd65748a003c9ba56
SHA1: 0675d63ecc857c50dd50858011b670160aa30b62
Referenced In Projects/Scopes:
Description: The ucar.units Java package is for decoding and encoding
formatted unit specifications (e.g. "m/s"), converting numeric values
between compatible units (e.g. between "m/s" and "knot"), and for
performing arithmetic operations on units (e.g. dividing one unit by
another, raising a unit to a power).
File Path: Z:\Gradle\caches\modules-2\files-2.1\edu.ucar\udunits\4.5.5\d8c8d65ade13666eedcf764889c69321c247f153\udunits-4.5.5.jar
MD5: 025ffadf77de73601443c8262c995df0
SHA1: d8c8d65ade13666eedcf764889c69321c247f153
Referenced In Projects/Scopes:
Description: JVM instrumentation to Ganglia
License:
The MIT License: http://www.opensource.org/licenses/mit-license.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\info.ganglia.gmetric4j\gmetric4j\1.0.7\37a1cb0d8821cad9bd33f1ce454459fed18efa44\gmetric4j-1.0.7.jar
Description:
Metrics is a Java library which gives you unparalleled insight into what your code does in
production. Metrics provides a powerful toolkit of ways to measure the behavior of critical
components in your production environment.
License:
http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\io.dropwizard.metrics\metrics-core\3.1.2\224f03afd2521c6c94632f566beb1bb5ee32cf07\metrics-core-3.1.2.jar
Description:
A reporter for Metrics which announces measurements to a Ganglia cluster.
License:
http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\io.dropwizard.metrics\metrics-ganglia\3.1.2\2a4e2fcd6436f9b1771f0f9b6bab445dddcf704f\metrics-ganglia-3.1.2.jar
Description:
A reporter for Metrics which announces measurements to a Graphite server.
License:
http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\io.dropwizard.metrics\metrics-graphite\3.1.2\15a68399652c6123fe6e4c82ac4f0749e2eb6583\metrics-graphite-3.1.2.jar
Description:
A set of extensions for Jetty 9.1 and higher which provide instrumentation of thread pools, connector
metrics, and application latency and utilization.
License:
http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\io.dropwizard.metrics\metrics-jetty9\3.1.2\7f2fe1039424ca687bea5d09ec0bfa372bf7d062\metrics-jetty9-3.1.2.jar
Description:
A set of classes which allow you to monitor critical aspects of your Java Virtual Machine
using Metrics.
License:
http://www.apache.org/licenses/LICENSE-2.0.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\io.dropwizard.metrics\metrics-jvm\3.1.2\ed364e77218e50fdcdebce4d982cb4d1f4a8c187\metrics-jvm-3.1.2.jar
Description:
JavaBeans Activation Framework (JAF) is a standard extension to the Java platform that lets you take advantage of standard services to: determine the type of an arbitrary piece of data; encapsulate access to it; discover the operations available on it; and instantiate the appropriate bean to perform the operation(s).
License:
Common Development and Distribution License (CDDL) v1.0: https://glassfish.dev.java.net/public/CDDLv1.0.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.activation\activation\1.1\e6cb541461c2834bdea3eb920f1884d1eb508b50\activation-1.1.jar
Description: Common Annotations for the JavaTM Platform API
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.annotation\javax.annotation-api\1.2\479c1e06db31c432330183f5cae684163f186146\javax.annotation-api-1.2.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
Description: Expression Language 3.0 API
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.el\javax.el-api\3.0.1-b04\8c0c970b8deae5054ff0bf4b17979c8181a506d3\javax.el-api-3.0.1-b04.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
Description:
JSR-275 specifies Java packages for the programmatic handling
of physical quantities and their expression as numbers of units.
License:
Specification License: LICENSE.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.measure\jsr-275\0.9.3\ab2fb094fc5297ae5636ef6ed0d6051d5a656588\jsr-275-0.9.3.jar
Description:
The Enterprise JavaBeans architecture is a component architecture for the development and deployment of component-based business applications.
The purpose of Enterprise JavaBeans (EJB) 3.0 is to improve the EJB architecture by reducing its complexity from the developer's point of view.
License:
Common Development and Distribution License (CDDL) v1.0: http://www.sun.com/cddl/cddl.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.persistence\persistence-api\1.0\5725f57873e05e068803e2bf9d5a8ea3740ffec5\persistence-api-1.0.jar
Description: Java.net - The Source for Java Technology Collaboration
License:
CDDL + GPLv2 with classpath exception: http://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.servlet.jsp\javax.servlet.jsp-api\2.3.0\3795334f4306b194003e16dfba4111a0467a49bd\javax.servlet.jsp-api-2.3.0.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.
Vulnerable Software & Versions: (show all)
Description: Java(TM) Servlet 3.1 API Design Specification
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.servlet\javax.servlet-api\3.1.0\3cd63d075497751784b2fa84be59432f4905bf7c\javax.servlet-api-3.1.0.jar
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\javax.servlet\servlet-api\2.4\3fc542fe8bb8164e8d3e840fe7403bc0518053c0\servlet-api-2.4.jar
MD5: f6cf3fde0b992589ed3d87fa9674015f
SHA1: 3fc542fe8bb8164e8d3e840fe7403bc0518053c0
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\javax.transaction\jta\1.0.1B\3dd157a4f4fe115ac5d165d6c21463d0ce9e3c7b\jta-1.0.1B.jar
MD5: c6e3e528816227b97f6b21f709641f8f
SHA1: 3dd157a4f4fe115ac5d165d6c21463d0ce9e3c7b
Referenced In Projects/Scopes:
Description: Java API for RESTful Web Services (JAX-RS)
License:
CDDL 1.1: http://glassfish.java.net/public/CDDL+GPL_1_1.html GPL2 w/ CPE: http://glassfish.java.net/public/CDDL+GPL_1_1.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.ws.rs\javax.ws.rs-api\2.0.1\104e9c2b5583cfcfeac0402316221648d6d8ea6b\javax.ws.rs-api-2.0.1.jar
License:
CDDL License
: http://www.opensource.org/licenses/cddl1.php
File Path: Z:\Gradle\caches\modules-2\files-2.1\javax.ws.rs\jsr311-api\1.1.1\59033da2a1afd56af1ac576750a8d0b1830d59e6\jsr311-api-1.1.1.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\javax.xml.bind\jaxb-api\2.1\b2dfeed54ac106bcd714ba59c1f52ef9167d56e\jaxb-api-2.1.jar
MD5: 63f750861245626b7338e2d2e6a33068
SHA1: 0b2dfeed54ac106bcd714ba59c1f52ef9167d56e
Referenced In Projects/Scopes:
Description:
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
License:
GNU General Public Library: http://www.gnu.org/licenses/gpl.txt COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.xml.stream\stax-api\1.0-2\d6337b0de8b25e53e81b922352fbea9f9f57ba0b\stax-api-1.0-2.jar
License:
hynnet.com: http://www.hynnet.com/licenses/LICENSE-1.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\javax.xml\xmldsig\1.0\9312ad67022b4dec8df8689d0b7dbac9cd612525\xmldsig-1.0.jar
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Heap-based buffer overflow in the jpc_dec_decodepkt function in jpc_t2dec.c in JasPer 2.0.10 allows remote attackers to have unspecified impact via a crafted image.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-125 Out-of-bounds Read
The jas_matrix_bindsub function in jas_seq.c in JasPer 2.0.10 allows remote attackers to cause a denial of service (invalid read) via a crafted image.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-476 NULL Pointer Dereference
The jp2_cdef_destroy function in jp2_cod.c in JasPer before 2.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the jpc_tsfb_getbands2 function in jpc_tsfb.c in JasPer before 1.900.30 allows remote attackers to have unspecified impact via a crafted image.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
Integer overflow in jas_image.c in JasPer before 1.900.25 allows remote attackers to cause a denial of service (application crash) via a crafted file.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The jpc_floorlog2 function in jpc_math.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The JPC_NOMINALGAIN function in jpc/jpc_t1cod.c in JasPer through 2.0.12 allows remote attackers to cause a denial of service (JPC_COX_RFT assertion failure) via unspecified vectors.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.25 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
The calcstepsizes function in jpc_dec.c in JasPer before 1.900.17 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The jpc_bitstream_getbits function in jpc_bs.c in JasPer before 2.0.10 allows remote attackers to cause a denial of service (assertion failure) via a very large integer.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The jas_seq2d_create function in jas_seq.c in JasPer before 1.900.14 allows remote attackers to cause a denial of service (assertion failure) via a crafted image file.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
The jpc_irct and jpc_iict functions in jpc_mct.c in JasPer before 1.900.14 allow remote attackers to cause a denial of service (assertion failure).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
Integer overflow in the jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.13 allows remote attackers to have unspecified impact via a crafted file, which triggers an assertion failure.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
Multiple integer overflows in the (1) jas_realloc function in base/jas_malloc.c and (2) mem_resize function in base/jas_stream.c in JasPer before 1.900.22 allow remote attackers to cause a denial of service via a crafted image, which triggers use after free vulnerabilities.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-476 NULL Pointer Dereference
The jp2_colr_destroy function in libjasper/jp2/jp2_cod.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (NULL pointer dereference).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The jas_malloc function in libjasper/base/jas_malloc.c in JasPer before 1.900.11 allows remote attackers to have unspecified impact via a crafted file, which triggers a memory allocation failure.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-476 NULL Pointer Dereference
The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.9 allows remote attackers to cause a denial of service (NULL pointer dereference) by calling the imginfo command with a crafted BMP image.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (assertion failure) via a crafted file.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-476 NULL Pointer Dereference
The jpc_dec_tilefini function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.8 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted file.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-415 Double Free
Double free vulnerability in the mem_close function in jas_stream.c in JasPer before 1.900.10 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image to the imginfo command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-369 Divide By Zero
The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted YRsiz value in a BMP image to the imginfo command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-369 Divide By Zero
The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in JasPer before 1.900.4 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted XRsiz value in a BMP image to the imginfo command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-476 NULL Pointer Dereference
The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before 1.900.5 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted BMP image in an imginfo command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Memory leak in the jas_iccprof_createfrombuf function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted ICC color profile in a JPEG 2000 image file.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file, a different vulnerability than CVE-2014-8137.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
Integer overflow in the jpc_pi_nextcprl function in jpc_t2cod.c in JasPer before 1.900.20 allows remote attackers to have unspecified impact via a crafted file, which triggers use of an uninitialized value.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-476 NULL Pointer Dereference
The jp2_colr_destroy function in jp2_cod.c in JasPer before 1.900.13 allows remote attackers to cause a denial of service (NULL pointer dereference) by leveraging incorrect cleanup of JP2 box data on error. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8887.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
Integer overflow in the jpc_dec_tiledecode function in jpc_dec.c in JasPer before 1.900.12 allows remote attackers to have unspecified impact via a crafted image file, which triggers a heap-based buffer overflow.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-476 NULL Pointer Dereference
The jpc_tsfb_synthesize function in jpc_tsfb.c in JasPer before 1.900.9 allows remote attackers to cause a denial of service (NULL pointer dereference) via vectors involving an empty sequence.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-416 Use After Free
Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Multiple off-by-one errors in the (1) jpc_dec_cp_setfromcox and (2) jpc_dec_cp_setfromrgn functions in jpc/jpc_dec.c in JasPer 1.900.1 and earlier allow remote attackers to execute arbitrary code via a crafted jp2 file, which triggers a heap-based buffer overflow.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file.
Vulnerable Software & Versions:
Description: Jaxen is a universal Java XPath engine.
License:
http://jaxen.codehaus.org/license.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\jaxen\jaxen\1.1.6\3f8c36d9a0578e8e98f030c662b69888b1430ac0\jaxen-1.1.6.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\jdom\jdom\1.0\a2ac1cd690ab4c80defe7f9bce14d35934c35cec\jdom-1.0.jar
MD5: 0b8f97de82fc9529b1028a77125ce4f8
SHA1: a2ac1cd690ab4c80defe7f9bce14d35934c35cec
Referenced In Projects/Scopes:
Description: Date and time library to replace JDK date handling
License:
Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\joda-time\joda-time\2.2\a5f29a7acaddea3f4af307e8cf2d0cc82645fd7d\joda-time-2.2.jar
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title.
Vulnerable Software & Versions:
Description:
JUnit is a regression testing framework written by Erich Gamma and Kent Beck.
It is used by the developer who implements unit tests in Java.
License:
Common Public License Version 1.0: http://www.opensource.org/licenses/cpl1.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\junit\junit-dep\4.10\64417b3bafdecd366afa514bd5beeae6c1f85ece\junit-dep-4.10.jar
Description:
JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.
License:
Common Public License Version 1.0: http://www.opensource.org/licenses/cpl1.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\junit\junit\3.8.2\7e4cde26b53a9a0e3fe5b00d1dbbc7cc1d46060\junit-3.8.2.jar
Description: JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
License:
Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\junit\junit\4.12\2973d150c0dc1fefe998f834810d68f278ea58ec\junit-4.12.jar
Description: Apache Log4j 1.2
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\log4j\log4j\1.2.17\5af35056b4d257e4b64b9e8069c0746e8b08629f\log4j-1.2.17.jar
Description:
A Java library for reading and writing iCalendar (*.ics) files
License:
iCal4j - License: LICENSEFile Path: Z:\Gradle\caches\modules-2\files-2.1\net.fortuna.ical4j\ical4j\1.0-rc3-atlassian-11\cc4aa02f5cc8773876aad173517d20438b1b60ea\ical4j-1.0-rc3-atlassian-11.jar
Description: Type-safe access to Java system properties
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\net.hydromatic\eigenbase-properties\1.1.5\a941956b3a4664d0cf728ece06ba25cc2110a3aa\eigenbase-properties-1.1.5.jar
Description: Java Native Access
License:
LGPL, version 2.1: http://www.gnu.org/licenses/licenses.html ASL, version 2: http://www.apache.org/licenses/File Path: Z:\Gradle\caches\modules-2\files-2.1\net.java.dev.jna\jna\4.1.0\1c12d070e602efd8021891cdd7fd18bc129372d4\jna-4.1.0.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\net.java.dev.jna\jna\4.1.0\1c12d070e602efd8021891cdd7fd18bc129372d4\jna-4.1.0.jar\com\sun\jna\w32ce-arm\jnidispatch.dll
MD5: 57697cbdd321ae7d06f5da04e821f908
SHA1: 67167f2b2fce8db5f9f64a372b0da54730d3ee51
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\net.java.dev.jna\jna\4.1.0\1c12d070e602efd8021891cdd7fd18bc129372d4\jna-4.1.0.jar\com\sun\jna\win32-x86-64\jnidispatch.dll
MD5: 06b2f1f909d2436dff20d7a668ef26a9
SHA1: bd1bdda9a91f3b0d9067e323f7394bef933f81f6
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\net.java.dev.jna\jna\4.1.0\1c12d070e602efd8021891cdd7fd18bc129372d4\jna-4.1.0.jar\com\sun\jna\win32-x86\jnidispatch.dll
MD5: 05a72ada9247aeb114a9ef01a394b6c4
SHA1: 8b32cc82740fc62afdf5ea211f1ca8bb72269bbf
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\net.jcip\jcip-annotations\1.0\afba4942caaeaf46aab0b976afd57cc7c181467e\jcip-annotations-1.0.jar
MD5: 9d5272954896c5a5d234f66b7372b17a
SHA1: afba4942caaeaf46aab0b976afd57cc7c181467e
Referenced In Projects/Scopes:
Description: Barcode4J is a flexible generator for barcodes written in Java.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\net.sf.barcode4j\barcode4j-fop-ext\2.1\38749ed6e6412628c45d5ba344a0ab796e6807f9\barcode4j-fop-ext-2.1.jar
Description: Barcode4J is a flexible generator for barcodes written in Java.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\net.sf.barcode4j\barcode4j\2.1\4b38b2219c0d522fcea8238493f2ea3e238ef529\barcode4j-2.1.jar
Description: This is the ehcache core module. Pair it with other modules for added functionality.
License:
The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\net.sf.ehcache\ehcache-core\2.6.2\3baecd92015a9f8fe4cf51c8b5d3a5bddcdd3e86\ehcache-core-2.6.2.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\net.sf.ehcache\ehcache-core\2.6.2\3baecd92015a9f8fe4cf51c8b5d3a5bddcdd3e86\ehcache-core-2.6.2.jar\net\sf\ehcache\pool\sizeof\sizeof-agent.jar
MD5: 5ad919b3ac0516897bdca079c9a222a8
SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
Referenced In Projects/Scopes:
Description:
ehcache is a pure Java, in-process cache with the following features:
1. Fast.
2. Simple.
3. Multiple eviction policies: LRU, LFU and FIFO.
4. Caches can be in memory or on disk.
5. Disk Stores can be persistent between VM restarts.
6. Distributed caching using multicast and RMI, with a pluggable API.
7. Cache and CacheManager listeners
8. Supports multiple Caches per CacheManager, and multiple CacheManagers per application.
9. Acts as a pluggable cache for Hibernate 3.1, 3 and 2.1.
10. Small foot print. Both in terms of size and memory requirements.
11. Minimal dependencies apart from J2SE.
12. Fully documented. See the online Documentation and the online JavaDoc.
13. Comprehensive Test Coverage. See the clover test report.
14. Available under the Apache 1.1 license. EHCache's copyright and licensing has been reviewed and approved by the Apache Software Foundation, making EHCache suitable for use in Apache projects.
15. Production tested. EHCache is used on a large and very busy eCommerce site.
16. Web caching, pull-through caches and other common caching implementations are provided in the ehcache-constructs module.
License:
The Apache Software License, Version 2.0: http://ehcache.sourceforge.net/LICENSE.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\net.sf.ehcache\ehcache\1.2.3\461752b4e3d73a5815737df243782ac70112b489\ehcache-1.2.3.jar
Description:
JWNL is an API for accessing WordNet-style relational dictionaries. It also provides
functionality beyond data access, such as relationship discovery and morphological
processing.
License:
BSD 3-Clause License: http://jwordnet.svn.sourceforge.net/svnroot/jwordnet/trunk/jwnl/license.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\net.sf.jwordnet\jwnl\1.3.3\7108e5b6a8875fe0488d942238575407c7ab8649\jwnl-1.3.3.jar
Description:
Matlab's MAT-file I/O API in JAVA. Supports Matlab 5 MAT-flie format reading and writing. Written in pure JAVA.
License:
BSD: http://www.linfo.org/bsdlicense.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\net.sourceforge.jmatio\jmatio\1.0\df72993ea17d34c3bacd983558d2970a866abaf6\jmatio-1.0.jar
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\net.sourceforge.nekohtml\nekohtml\1.9.12\6b58cfa01218d900a5c5996b82b52cffab981c0a\nekohtml-1.9.12.jar
Description: OGNL stands for Object-Graph Navigation Language; it is an expression language for getting and setting properties of Java objects.
License:
BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\ognl\ognl\2.6.9\fad9692184899994e977b647998f9fa4a9cfec35\ognl-2.6.9.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Description: The ANTLR 4 Runtime
License:
http://www.antlr.org/license.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.antlr\antlr4-runtime\4.5.1-1\66144204f9d6d7d3f3f775622c2dd7e9bd511d97\antlr4-runtime-4.5.1-1.jar
Description: contains the junit and junirreport tasks
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ant\ant-junit\1.9.0\cc83eb94ddcef9c12d5ede5feac3f31a3d320e82\ant-junit-1.9.0.jar
MD5: 99a7567e995ab2591d0cd7c3349f02e2
SHA1: cc83eb94ddcef9c12d5ede5feac3f31a3d320e82
Referenced In Projects/Scopes:
Description: contains the junit and junirreport tasks
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ant\ant-junit\1.9.7\12629dc0fe3bc89199f83c1cbf7f844f2d0801de\ant-junit-1.9.7.jar
MD5: d2aea68c381c3f5ba9267d6e487283b2
SHA1: 12629dc0fe3bc89199f83c1cbf7f844f2d0801de
Referenced In Project/Scope:
junitReport
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ant\ant-launcher\1.9.0\a76484a4e3a893dd0ee018afef34f74df8e4ef6c\ant-launcher-1.9.0.jar
MD5: aa065e042ee374e7d97bcaf814cdcb8c
SHA1: a76484a4e3a893dd0ee018afef34f74df8e4ef6c
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ant\ant-launcher\1.9.7\224857a490283e72da13ffe3082dea62c558ec76\ant-launcher-1.9.7.jar
MD5: f099489fbe6cc9665cb690b4b03cf48c
SHA1: 224857a490283e72da13ffe3082dea62c558ec76
Referenced In Project/Scope:
junitReport
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ant\ant\1.9.0\d667bc2c030a338720bfcf794d2189ea5c663b9e\ant-1.9.0.jar
MD5: f95c303d8ebed1503e22571f9214acab
SHA1: d667bc2c030a338720bfcf794d2189ea5c663b9e
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ant\ant\1.9.7\3b2a10512ee6537d3852c9b693a0284dcab5de68\ant-1.9.7.jar
MD5: a14502c25ee6bc76c4614315845b29e9
SHA1: 3b2a10512ee6537d3852c9b693a0284dcab5de68
Referenced In Project/Scope:
junitReport
Description: Avalon Framework API
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.avalon.framework\avalon-framework-api\4.3.1\2dacadeb49bc14420990b1f28897d46f96e2181d\avalon-framework-api-4.3.1.jar
MD5: 7c543869a7eb2bad323a54e873973acf
SHA1: 2dacadeb49bc14420990b1f28897d46f96e2181d
Referenced In Projects/Scopes:
Description: Avalon Framework Implementation
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.avalon.framework\avalon-framework-impl\4.3.1\2d5f5a07fd14513ce6d7a7bfaff69419c26dbd0b\avalon-framework-impl-4.3.1.jar
MD5: 004ac42a2cda8c444451ef187b24284f
SHA1: 2d5f5a07fd14513ce6d7a7bfaff69419c26dbd0b
Referenced In Projects/Scopes:
Description: Core Parts of Axis2. This includes Axis2 engine, Client API, Addressing support, etc.,
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.axis2\axis2-kernel\1.7.1\839abf2a83ab7aa225e4d4f8dd4236803ef977a0\axis2-kernel-1.7.1.jar
MD5: 70f2a2bb541d649a4e943ee47fc2388a
SHA1: 839abf2a83ab7aa225e4d4f8dd4236803ef977a0
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Description: This inclues all the available transports in Axis2
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.axis2\axis2-transport-http\1.7.1\54b345d733908b3fc830ac87ede303ec2b7d8c3b\axis2-transport-http-1.7.1.jar
MD5: 58ea78d154f92057c9644f21e99e91c8
SHA1: 54b345d733908b3fc830ac87ede303ec2b7d8c3b
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Description: This inclues all the available transports in Axis2
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.axis2\axis2-transport-local\1.7.1\cfda1532e74015dd978b3d046b19a2749ac300b1\axis2-transport-local-1.7.1.jar
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack."
Vulnerable Software & Versions:
Description:
An implementation of the SOAP ("Simple Object Access Protocol") submission to W3C.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.axis\axis\1.4\94a9ce681a42d0352b3ad22659f67835e560d107\axis-1.4.jar
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerable Software & Versions: (show all)
Description: JDBC driver framework.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.calcite.avatica\avatica-core\1.9.0\c16b346eef02495f2f4b429fe04c33e526ec0229\avatica-core-1.9.0.jar
MD5: 344c4fcf242a48a027d5118820443ef7
SHA1: c16b346eef02495f2f4b429fe04c33e526ec0229
Referenced In Projects/Scopes:
Description: Core Calcite APIs and engine.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.calcite\calcite-core\1.11.0\d0f90841119f1ec02a64ef029ff525171a320cff\calcite-core-1.11.0.jar
MD5: b50fede7ab343dd311933faf145eced4
SHA1: d0f90841119f1ec02a64ef029ff525171a320cff
Referenced In Projects/Scopes:
Description: Calcite APIs for LINQ (Language-Integrated Query) in Java
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.calcite\calcite-linq4j\1.11.0\b09e988f64c69c21cc61aa734e9955736a07e016\calcite-linq4j-1.11.0.jar
MD5: 1bcdaf8aeb758f891f4fbe594d669225
SHA1: b09e988f64c69c21cc61aa734e9955736a07e016
Referenced In Projects/Scopes:
Description: The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.commons\commons-collections4\4.1\a4cf4688fe1c7e3a63aa636cc96d013af537768e\commons-collections4-4.1.jar
Description:
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.commons\commons-compress\1.10\5eeb27c57eece1faf2d837868aeccc94d84dcc9a\commons-compress-1.10.jar
Description:
The Apache Commons CSV library provides a simple interface for reading and writing
CSV files of various types.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.commons\commons-csv\1.1\1eeeb118cab7ec49c9a10b478356eff108d5e87e\commons-csv-1.1.jar
Description: Apache Commons DBCP software implements Database Connection Pooling
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.commons\commons-dbcp2\2.1\95d4eab4b67874f452a69fe84e89f2952c6c27f6\commons-dbcp2-2.1.jar
Description: Apache Commons Exec is a library to reliably execute external processes from within the JVM.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.commons\commons-exec\1.3\8dfb9facd0830a27b1b5f29f84593f0aeee7773b\commons-exec-1.3.jar
Description: Apache Commons Object Pooling Library
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.commons\commons-pool2\2.3\62a559a025fd890c30364296ece14643ba9c8c5b\commons-pool2-2.3.jar
Description: VFS is a Virtual File System library.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.commons\commons-vfs2\2.0\b5af3b9c96b060d77c68fa5ac9384b402dd58013\commons-vfs2-2.0.jar
Description: Low-level API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.curator\curator-client\2.8.0\84feebaa8526f4984566f6a32f55d7689800acf9\curator-client-2.8.0.jar
Description: High-level API that greatly simplifies using ZooKeeper.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.curator\curator-framework\2.8.0\f8edc9156084ad19ae50ae5958bf218a08351834\curator-framework-2.8.0.jar
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
Vulnerable Software & Versions: (show all)
Description: All of the recipes listed on the ZooKeeper recipes doc (except two phase commit).
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.curator\curator-recipes\2.8.0\c563e25fb37f85a6b029bc9746e75573640474fb\curator-recipes-2.8.0.jar
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
Vulnerable Software & Versions: (show all)
Description: Apache CXF Core
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.cxf\cxf-core\3.0.3\d1c97f02c6ca0bab8b3c5315237c510523b86310\cxf-core-3.0.3.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-384
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-361 Time and State
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
Vulnerable Software & Versions: (show all)
Description: Apache CXF Runtime JAX-RS Frontend
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.cxf\cxf-rt-frontend-jaxrs\3.0.3\284a35801aef259c0d61edb938865b5b125403ac\cxf-rt-frontend-jaxrs-3.0.3.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-384
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-361 Time and State
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
Vulnerable Software & Versions: (show all)
Description: Apache CXF JAX-RS Client
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.cxf\cxf-rt-rs-client\3.0.3\45eabb80eb52ac54111c71e0d6f34c9c93f99b0d\cxf-rt-rs-client-3.0.3.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-384
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-361 Time and State
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
Vulnerable Software & Versions: (show all)
Description: Apache CXF Runtime HTTP Transport
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.cxf\cxf-rt-transports-http\3.0.3\d0fe9957966496bcc9550dddfbe5100d84105d75\cxf-rt-transports-http-3.0.3.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-384
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-20 Improper Input Validation
JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and 3.0.13 do not validate that the service response was signed or encrypted, which allows remote attackers to spoof servers.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-361 Time and State
The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.derby\derby\10.11.1.1\df4b50061e8e4c348ce243b921f53ee63ba9bbe1\derby-10.11.1.1.jar
MD5: afe613d20dabc4eae9b025375adb7e84
SHA1: df4b50061e8e4c348ce243b921f53ee63ba9bbe1
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-399 Resource Management Errors
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
Vulnerable Software & Versions: (show all)
Description: Apache Geronimo Transaction Manager
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.geronimo.components\geronimo-transaction\3.1.4\7db43d2032d5f38a47a39801903df8c97bd54155\geronimo-transaction-3.1.4.jar
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
The init script for Apache Geronimo on SUSE Linux follows symlinks when performing a chown operation, which might allow local users to obtain access to unspecified files or directories.
Vulnerable Software & Versions:
Description: Java Activation Spec API 1.1
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-activation_1.1_spec\1.1\f15af1b53fba7f23ce5e9de4fb57a88585aa9eee\geronimo-activation_1.1_spec-1.1.jar
Description: Java 2 Connector Architecture API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-j2ee-connector_1.6_spec\1.0\a1a1cb635415af603ffba27987ffcd3422fb7801\geronimo-j2ee-connector_1.6_spec-1.0.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-jaxrpc_1.1_spec\1.1\b0b1d499b5c7f53ed65fa1aadd6cfaf743480e1b\geronimo-jaxrpc_1.1_spec-1.1.jar
MD5: ee8d28584b602a03da5f9b4c068b2d53
SHA1: b0b1d499b5c7f53ed65fa1aadd6cfaf743480e1b
Referenced In Projects/Scopes:
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-jms_1.1_spec\1.1.1\c872b46c601d8dc03633288b81269f9e42762cea\geronimo-jms_1.1_spec-1.1.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-jta_1.1_spec\1.1.1\aabab3165b8ea936b9360abbf448459c0d04a5a4\geronimo-jta_1.1_spec-1.1.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-stax-api_1.0_spec\1.0.1\1c171093a8b43aa550c6050ac441abe713ebb4f2\geronimo-stax-api_1.0_spec-1.0.1.jar
Description: Provides open-source implementations of Sun specifications.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.geronimo.specs\geronimo-ws-metadata_2.0_spec\1.1.2\7be9f049b4f0f0cf045675be5a0ff709d57cbc6a\geronimo-ws-metadata_2.0_spec-1.1.2.jar
Description: Apache Hadoop Annotations
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-annotations\2.7.2\80693ef2884927ee3c5464a7539fcfa4af382e14\hadoop-annotations-2.7.2.jar
MD5: 56e87afd2bf0d893ccb41142cacd6608
SHA1: 80693ef2884927ee3c5464a7539fcfa4af382e14
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
Vulnerable Software & Versions: (show all)
Description: Apache Hadoop Auth - Java HTTP SPNEGO
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-auth\2.7.2\bf613cfec06a1f3d3a91d7f82f9e4af75bc01f72\hadoop-auth-2.7.2.jar
MD5: 3aa98787a5b66b696c315ff78d61b355
SHA1: bf613cfec06a1f3d3a91d7f82f9e4af75bc01f72
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
Vulnerable Software & Versions: (show all)
Description: Apache Hadoop Common
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-common\2.7.2\422eb48913fa6f81835b3192c97a576505b6c192\hadoop-common-2.7.2.jar
MD5: 8046d8c1f63ce2a6b1d331825c504f8b
SHA1: 422eb48913fa6f81835b3192c97a576505b6c192
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
Vulnerable Software & Versions: (show all)
Description: Apache Hadoop HDFS
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.hadoop\hadoop-hdfs\2.7.2\3c304b3d9227fbf8af8bc1cab013271538c3cf0a\hadoop-hdfs-2.7.2.jar
MD5: f7db56210c32714e003e96127cef4caa
SHA1: 3c304b3d9227fbf8af8bc1cab013271538c3cf0a
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.htrace\htrace-core\3.2.0-incubating\8797cf3230f01e8724ef27a0ed565dabb6998c64\htrace-core-3.2.0-incubating.jar
MD5: 0b1b1a63aca83a11545de49218a251bf
SHA1: 8797cf3230f01e8724ef27a0ed565dabb6998c64
Referenced In Projects/Scopes:
Description:
Apache HttpComponents HttpClient - Cache
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpclient-cache\4.4.1\6c9ba9c38bca8742d5745bb27bcd4b9c7542ea24\httpclient-cache-4.4.1.jar
MD5: 5d79921ccafc2a735f6c4186a3366e9e
SHA1: 6c9ba9c38bca8742d5745bb27bcd4b9c7542ea24
Referenced In Projects/Scopes:
Description:
Apache HttpComponents Client
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpclient\4.4.1\16d0bc512222f1253ee6b64d389c84e22f697f0\httpclient-4.4.1.jar
MD5: 38f9399922142fc9538d690dbaae7e2e
SHA1: 016d0bc512222f1253ee6b64d389c84e22f697f0
Referenced In Projects/Scopes:
Description:
Apache HttpComponents Core (blocking I/O)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpcore\4.4.1\f5aa318bda4c6c8d688c9d00b90681dcd82ce636\httpcore-4.4.1.jar
MD5: 27bf6d5323a86a6115b607ce82512d6c
SHA1: f5aa318bda4c6c8d688c9d00b90681dcd82ce636
Referenced In Projects/Scopes:
Description:
Apache HttpComponents HttpClient - MIME coded entities
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.httpcomponents\httpmime\4.4.1\2f8757f5ac5e38f46c794e5229d1f3c522e9b1df\httpmime-4.4.1.jar
MD5: 678b75d71032e823480a41123b6b3ce2
SHA1: 2f8757f5ac5e38f46c794e5229d1f3c522e9b1df
Referenced In Projects/Scopes:
Description: Java stream based MIME message parser
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.james\apache-mime4j-core\0.7.2\a81264fe0265ebe8fd1d8128aad06dc320de6eef\apache-mime4j-core-0.7.2.jar
Description: Java MIME Document Object Model
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.james\apache-mime4j-dom\0.7.2\1c289aa264548a0a1f1b43685a9cb2ab23f67287\apache-mime4j-dom-0.7.2.jar
Description: The Apache Log4j 1.x Compatibility API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-1.2-api\2.6.2\3b4c5a8b734b6a29b2f03380535a48da6284b210\log4j-1.2-api-2.6.2.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Vulnerable Software & Versions: (show all)
Description: The Apache Log4j API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-api\2.6.2\bd1b74a5d170686362091c7cf596bbc3adf5c09b\log4j-api-2.6.2.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Vulnerable Software & Versions: (show all)
Description: The Apache Log4j Implementation
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-core\2.6.2\a91369f655eb1639c6aece5c5eb5108db18306\log4j-core-2.6.2.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Vulnerable Software & Versions: (show all)
Description: The Apache Log4j implementation of java.util.logging
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-jul\2.6.2\afb8205d03d7f30405b385a2b0fdf1086bc9bc2a\log4j-jul-2.6.2.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Vulnerable Software & Versions: (show all)
Description: The Apache Log4j SLF4J API binding to Log4j 2 Core
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.logging.log4j\log4j-slf4j-impl\2.6.2\71d6c56133e0548e07434add048d7a7a2db53512\log4j-slf4j-impl-2.6.2.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-analyzers-common\6.5.1\39dbaaea114a1be3c52f2faba64a36323d95ebc2\lucene-analyzers-common-6.5.1.jar
MD5: c128b920606a796db78a83a63737edc0
SHA1: 39dbaaea114a1be3c52f2faba64a36323d95ebc2
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-analyzers-kuromoji\6.5.1\aae8f7ca5c753afd017621872ebf030852bf2bef\lucene-analyzers-kuromoji-6.5.1.jar
MD5: 094f8ec5649c32c13d2e633f8ab1300a
SHA1: aae8f7ca5c753afd017621872ebf030852bf2bef
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-analyzers-phonetic\6.5.1\50b480f6b7f30926af73c9285df1eb39a512234f\lucene-analyzers-phonetic-6.5.1.jar
MD5: bb9a192c78222396c8f123c42bfdc225
SHA1: 50b480f6b7f30926af73c9285df1eb39a512234f
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-backward-codecs\6.5.1\e5bc976457f3217b74cf35af8747ad664219c25e\lucene-backward-codecs-6.5.1.jar
MD5: 365fe5ce4b0b42d7dff23ffa045d0781
SHA1: e5bc976457f3217b74cf35af8747ad664219c25e
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-classification\6.5.1\1787533c665359821e37215ad2f174d3f5c6161f\lucene-classification-6.5.1.jar
MD5: 33b4c1fa3b21ca6a932192d2b9bb5319
SHA1: 1787533c665359821e37215ad2f174d3f5c6161f
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-codecs\6.5.1\9f70b551c0f3798a82fa5dd66fe051671eba81f7\lucene-codecs-6.5.1.jar
MD5: 0e3afbd003614f8c196021b6b4164387
SHA1: 9f70b551c0f3798a82fa5dd66fe051671eba81f7
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-core\6.5.1\64ba6eab21a7dd5d80b55632d4bb09be4f1ea7e1\lucene-core-6.5.1.jar
MD5: 998187793ddda456aeaf5471b95e7457
SHA1: 64ba6eab21a7dd5d80b55632d4bb09be4f1ea7e1
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-expressions\6.5.1\7c41f9595f828370a5d4784e5045ba17f69026d8\lucene-expressions-6.5.1.jar
MD5: 0717af05cba3674abd9fe3df71de235b
SHA1: 7c41f9595f828370a5d4784e5045ba17f69026d8
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-grouping\6.5.1\4eff2dbfd60667da8961070c693e534fce56c3ea\lucene-grouping-6.5.1.jar
MD5: 25c19625dc136827ddf77a78aa04a319
SHA1: 4eff2dbfd60667da8961070c693e534fce56c3ea
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-highlighter\6.5.1\277fa328c1c6200eab3aa811bd203994a62225b4\lucene-highlighter-6.5.1.jar
MD5: d0ac6bb98ebf7b736c9ec70a398ba1f7
SHA1: 277fa328c1c6200eab3aa811bd203994a62225b4
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-join\6.5.1\850bb5c330fca052dbf4b191b05c9f7806517af7\lucene-join-6.5.1.jar
MD5: 1f27b97b8ee69a7286813d6f5e4a67a8
SHA1: 850bb5c330fca052dbf4b191b05c9f7806517af7
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-memory\6.5.1\b495b8129ce8ea6e86e396574e1932108aabdb4c\lucene-memory-6.5.1.jar
MD5: e85ae15fb1a6353ad4d626a3da97ab65
SHA1: b495b8129ce8ea6e86e396574e1932108aabdb4c
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-misc\6.5.1\3c18dce20c432c5caa435ed000e8366cc0630368\lucene-misc-6.5.1.jar
MD5: 1647623af86850f56b746fc18cfae92f
SHA1: 3c18dce20c432c5caa435ed000e8366cc0630368
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-queries\6.5.1\48f80f7b52f4ded001db8a1b7faa0b911955e9cb\lucene-queries-6.5.1.jar
MD5: 8df25b60a4a9ccd007a62031e7e96460
SHA1: 48f80f7b52f4ded001db8a1b7faa0b911955e9cb
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-queryparser\6.5.1\d93fe8eabd82c8f6951eeece76a6a3faf6ff0471\lucene-queryparser-6.5.1.jar
MD5: 8efa5426611adbdb44534fa2676ae1fb
SHA1: d93fe8eabd82c8f6951eeece76a6a3faf6ff0471
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-sandbox\6.5.1\1d7765bcaa2dcbee8083a4ecad74783849d83b4\lucene-sandbox-6.5.1.jar
MD5: 116639d60fa7feccedb6572c579adf35
SHA1: 01d7765bcaa2dcbee8083a4ecad74783849d83b4
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-spatial-extras\6.5.1\f58d228e73dcf28f0dcebe95661991361155c753\lucene-spatial-extras-6.5.1.jar
MD5: b2598e6e0edbb6d2a1f507456882ab00
SHA1: f58d228e73dcf28f0dcebe95661991361155c753
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.lucene\lucene-suggest\6.5.1\a9bcff6fec09a2b5d4ae82acfdc65db15bc3ecd6\lucene-suggest-6.5.1.jar
MD5: 624842e127cdcf4f40e6dfe20c23f9ec
SHA1: a9bcff6fec09a2b5d4ae82acfdc65db15bc3ecd6
Referenced In Projects/Scopes:
Description: The SCM API provides mechanisms to manage all SCM tools.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.maven.scm\maven-scm-api\1.4\e294693ce217bd6f470b728127854e6ca787fd29\maven-scm-api-1.4.jar
MD5: bc840a6620ec3d3c56ce58b10076cef4
SHA1: e294693ce217bd6f470b728127854e6ca787fd29
Referenced In Projects/Scopes:
Description: Common library for SCM SVN Provider.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.maven.scm\maven-scm-provider-svn-commons\1.4\54bc1dc24c5d205b4d251a83f4ea63808c21a628\maven-scm-provider-svn-commons-1.4.jar
MD5: 09e3cb24fa48c3d6427e1d2b79b42d26
SHA1: 54bc1dc24c5d205b4d251a83f4ea63808c21a628
Referenced In Projects/Scopes:
Description: Executable library for SCM SVN Provider.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.maven.scm\maven-scm-provider-svnexe\1.4\b3213b40157b701ba079b738baac391e41418c18\maven-scm-provider-svnexe-1.4.jar
MD5: 6624c9c3324f88619205c2b8c60e583b
SHA1: b3213b40157b701ba079b738baac391e41418c18
Referenced In Projects/Scopes:
Description: Apache Neethi provides general framework for the programmers to use WS Policy. It is compliant with latest WS Policy specification which was published in March 2006. This framework is specifically written to enable the Apache Web services stack to use WS Policy as a way of expressing it's requirements and capabilities.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.neethi\neethi\3.0.3\ee37a38bbf9f355ee88ba554a85c9220b75ba500\neethi-3.0.3.jar
Description: The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.opennlp\opennlp-maxent\3.0.3\55e39e6b46e71f35229cdd6950e72d8cce3b5fd4\opennlp-maxent-3.0.3.jar
Description: The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.opennlp\opennlp-tools\1.5.3\826d34168b0e4870c9f599ed7f2b8fee4194ba3b\opennlp-tools-1.5.3.jar
Description:
The Apache FontBox library is an open source Java tool to obtain low level information
from font files. FontBox is a subproject of Apache PDFBox.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.pdfbox\fontbox\1.8.10\41776c7713e3f3a1ce688bd96459fc597298c340\fontbox-1.8.10.jar
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Absolute path traversal vulnerability in Font.php in the Font plugin before 7.5.1 for WordPress allows remote administrators to read arbitrary files via a full pathname in the url parameter to AjaxProxy.php.
Vulnerable Software & Versions:
Description:
The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
specification. JempBox is a subproject of Apache PDFBox.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.pdfbox\jempbox\1.8.10\40df4e4ca884aadc20b82d5abd0a3679774c55a6\jempbox-1.8.10.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
Vulnerable Software & Versions: (show all)
Description:
The Apache PDFBox library is an open source Java tool for working with PDF documents.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.pdfbox\pdfbox\1.8.10\bc5d1254495be36d0a3b3d6c35f88d05200b9311\pdfbox-1.8.10.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.poi\poi-excelant\3.14\49ded0a5f84a755ca7bce99ffe11fe6a972cb077\poi-excelant-3.14.jar
MD5: 5bad3dfa695bd5bc24560c9abc54e74e
SHA1: 49ded0a5f84a755ca7bce99ffe11fe6a972cb077
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.1
(AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.poi\poi-ooxml-schemas\3.14\97fe4bfdef7f103bfd9ec63c98ea90469afeec7b\poi-ooxml-schemas-3.14.jar
MD5: e753093791ff46cec17447415b2841aa
SHA1: 97fe4bfdef7f103bfd9ec63c98ea90469afeec7b
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.1
(AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.poi\poi-ooxml\3.14\911b3a5562b5dc4c5156d2d5f0f68a83346100d0\poi-ooxml-3.14.jar
MD5: e8ddefde540bce269c3bffc8835263c2
SHA1: 911b3a5562b5dc4c5156d2d5f0f68a83346100d0
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.1
(AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.poi\poi-scratchpad\3.14\3c775b327fd4d451b6fa8d6111197a2d33d1dc00\poi-scratchpad-3.14.jar
MD5: 8934d390ba638a41823eb1d651a0e6cd
SHA1: 3c775b327fd4d451b6fa8d6111197a2d33d1dc00
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.1
(AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.poi\poi\3.14\fad7ae6d2e59c59ffdb45f1981500babfa765180\poi-3.14.jar
MD5: 204b46d1644dcd7e1118e9443a19e0e8
SHA1: fad7ae6d2e59c59ffdb45f1981500babfa765180
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.1
(AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.santuario\xmlsec\1.4.3\22629b7c6b25352c25be97d0839460fef58ec533\xmlsec-1.4.3.jar
MD5: 16a2d033196888c83e06ac9dda7f88de
SHA1: 22629b7c6b25352c25be97d0839460fef58ec533
Referenced In Projects/Scopes:
Description: Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.shiro\shiro-core\1.3.0\132a275104978c049e50b73f0299da44649b36d0\shiro-core-1.3.0.jar
Description: Implementations of metadata derived from ISO 19115. This module provides both an implementation of the metadata interfaces defined in GeoAPI, and a framework for handling those metadata through Java reflection.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.sis.core\sis-metadata\0.5\1bbd65e52d27b61c64944b9275c44ccd79f267a7\sis-metadata-0.5.jar
Description: Implementations of Coordinate Reference Systems (CRS), conversion and transformation services derived from ISO 19111.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.sis.core\sis-referencing\0.5\377246c70fd858346fab8a0e554bed3b3cfcde70\sis-referencing-0.5.jar
Description: Miscellaneous utilities.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.sis.core\sis-utility\0.5\aaea81deda0e3c7ca2602e7fb9459bcc19894ecf\sis-utility-0.5.jar
Description: Bridge between NetCDF Climate and Forecast (CF) convention and ISO 19115 metadata.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.sis.storage\sis-netcdf\0.5\2b416e4506caebe7df6dd21b878dae888e0eea39\sis-netcdf-0.5.jar
Description: Provides the interfaces and base classes to be implemented by various storage formats.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.sis.storage\sis-storage\0.5\29d1ea6422b68fbfe1f1702f122019ae376ee2c8\sis-storage-0.5.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.solr\solr-core\6.5.1\f0fb2a1c0600f88b399f9de170814a022923faaa\solr-core-6.5.1.jar
MD5: 00182c0b2eafd9e738a01a3acbee9277
SHA1: f0fb2a1c0600f88b399f9de170814a022923faaa
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.solr\solr-solrj\6.5.1\5a4ec485e480b024a1ca19d378931fdbe2aed04a\solr-solrj-6.5.1.jar
MD5: a377a5bb178998f8bb1aba3c13ee6dda
SHA1: 5a4ec485e480b024a1ca19d378931fdbe2aed04a
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-287 Improper Authentication
Apache Solr uses a PKI based mechanism to secure inter-node communication when security is enabled. It is possible to create a specially crafted node name that does not exist as part of the cluster and point it to a malicious node. This can trick the nodes in cluster to believe that the malicious node is a member of the cluster. So, if Solr users have enabled BasicAuth authentication mechanism using the BasicAuthPlugin or if the user has implemented a custom Authentication plugin, which does not implement either "HttpClientInterceptorPlugin" or "HttpClientBuilderPlugin", his/her servers are vulnerable to this attack. Users who only use SSL without basic authentication or those who use Kerberos are not affected.
Vulnerable Software & Versions: (show all)
Description: This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also
includes the core facades for the Tika API.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tika\tika-core\1.12\5ab95580d22fe1dee79cffbcd98bb509a32da09b\tika-core-1.12.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Vulnerable Software & Versions:
Description: Apache Tika is a toolkit for detecting and extracting metadata and structured text content from various documents using existing parser libraries.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tika\tika-parsers\1.12\ee3ad76cb3066ba6c11e2db6d48b5ef6842a9788\tika-parsers-1.12.jar
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-core\8.0.39\c026332148ad464592cbc720a933388782c0d24a\tomcat-embed-core-8.0.39.jar
MD5: 6297b65d1700945427e99952249b3567
SHA1: c026332148ad464592cbc720a933388782c0d24a
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-284 Improper Access Control
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-388 Error Handling
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat.embed\tomcat-embed-websocket\8.0.39\d71f453312b433b3e1c5a92060d145aceff1bf4d\tomcat-embed-websocket-8.0.39.jar
MD5: ef26fb940367b4cacec8d403625801f8
SHA1: d71f453312b433b3e1c5a92060d145aceff1bf4d
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-345 Insufficient Verification of Data Authenticity
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-284 Improper Access Control
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-388 Error Handling
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-annotations-api\8.5.16\a7b804d1ecd29de6b1ae85778fd5ea8baaf51f11\tomcat-annotations-api-8.5.16.jar
MD5: bdefa447145dca030a006e09fb584cef
SHA1: a7b804d1ecd29de6b1ae85778fd5ea8baaf51f11
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-189 Numeric Errors
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-16 Configuration
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-255 Credentials Management
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-16 Configuration
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-api\8.5.16\24a7115d1e1edee5548452d50fdfb8a0cff08e18\tomcat-api-8.5.16.jar
MD5: e43c4d4b75a0627305630774da207fda
SHA1: 24a7115d1e1edee5548452d50fdfb8a0cff08e18
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-catalina-ha\8.5.16\4e0410f10ba8eeec9f47b299879e7ad85715e350\tomcat-catalina-ha-8.5.16.jar
MD5: 33e14aae0da133b61eede0374f7b73b5
SHA1: 4e0410f10ba8eeec9f47b299879e7ad85715e350
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-catalina\8.5.16\9f41a0e50a5e00050abdc42b23f7a4da4a95c2ec\tomcat-catalina-8.5.16.jar
MD5: 07e138b6e2d8199a20cd304d7d4a9900
SHA1: 9f41a0e50a5e00050abdc42b23f7a4da4a95c2ec
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-coyote\8.5.16\4c2b784407405315786974b46f1797091b355bd5\tomcat-coyote-8.5.16.jar
MD5: 68aa9a2773f576e4433531dcf70cc487
SHA1: 4c2b784407405315786974b46f1797091b355bd5
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-el-api\8.5.16\db1c1e355c7d317aec4a9ccb43148a2128d1eab9\tomcat-el-api-8.5.16.jar
MD5: 430ffd55c36e00651271ba6d53dc9c69
SHA1: db1c1e355c7d317aec4a9ccb43148a2128d1eab9
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-189 Numeric Errors
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-16 Configuration
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-255 Credentials Management
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-16 Configuration
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-jasper-el\8.5.16\e1c1c6553f54f991f001ce3ca32253e21bf3917d\tomcat-jasper-el-8.5.16.jar
MD5: b70656e7c5b6834b48ed531a5f532152
SHA1: e1c1c6553f54f991f001ce3ca32253e21bf3917d
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-jasper\8.5.16\9d2147a7b2c7832f482bd1c5a9e09088b8712bf4\tomcat-jasper-8.5.16.jar
MD5: f49f6492991d973f29766dbb74bbe161
SHA1: 9d2147a7b2c7832f482bd1c5a9e09088b8712bf4
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-jaspic-api\8.5.16\ea3ac6dc090bf32b228278517581d59931195dea\tomcat-jaspic-api-8.5.16.jar
MD5: 2e705396a18e310e0e36ab6c3a391a6b
SHA1: ea3ac6dc090bf32b228278517581d59931195dea
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-jni\8.5.16\7ed26776912a3ef20f189fb0e47fe2f808294903\tomcat-jni-8.5.16.jar
MD5: 5b8c30dbd234ce56692660cda87acd94
SHA1: 7ed26776912a3ef20f189fb0e47fe2f808294903
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-jsp-api\8.5.16\a97648f6f00f8bba9ddf29a81dda9732e0a34ee\tomcat-jsp-api-8.5.16.jar
MD5: 43c15184cc7d611d2e025d3c769620ca
SHA1: 0a97648f6f00f8bba9ddf29a81dda9732e0a34ee
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-juli\8.5.16\e9e65481ee92eaf7dace280320f28139d485c958\tomcat-juli-8.5.16.jar
MD5: 67eb0fb7c1977c37a49eac658f874b72
SHA1: e9e65481ee92eaf7dace280320f28139d485c958
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-servlet-api\8.5.16\622b639d512460106b2a1f970503bd8159407f8b\tomcat-servlet-api-8.5.16.jar
MD5: 16e6b8411871f8929920084bfbe13eb9
SHA1: 622b639d512460106b2a1f970503bd8159407f8b
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-189 Numeric Errors
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-20 Improper Input Validation
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-16 Configuration
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-255 Credentials Management
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat on Red Hat Enterprise Linux 5, Desktop Workstation 5, and Linux Desktop 5 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." NOTE: this is due to a missing fix for CVE-2009-0781.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-16 Configuration
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616".
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-254 Security Features
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary 'jsp' files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Directory traversal vulnerability in source.jsp of Apache Tomcat before 3.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the argument to source.jsp.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
The Snoop servlet in Jakarta Tomcat 3.1 and 3.0 under Apache reveals sensitive system information when a remote attacker requests a nonexistent URL with a .snp extension.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Jakarta Tomcat 3.1 under Apache reveals physical path information when a remote attacker requests a URL that does not exist, which generates an error message that includes the physical path.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
The default configuration of Jakarta Tomcat does not restrict access to the /admin context, which allows remote attackers to read arbitrary files by directly calling the administrative servlets to add a context for the root directory.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-tribes\8.5.16\9dad3482b8410e1b5b1e62869fa8449b3eb92b0d\tomcat-tribes-8.5.16.jar
MD5: 953ea68523a8e13fb9c1ff8b0340c9a2
SHA1: 9dad3482b8410e1b5b1e62869fa8449b3eb92b0d
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-util-scan\8.5.16\f3b500d114a9d4df709b93e5c2bbf12404a3f50a\tomcat-util-scan-8.5.16.jar
MD5: 6c889547401301107d53eba1e675b0d0
SHA1: f3b500d114a9d4df709b93e5c2bbf12404a3f50a
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.tomcat\tomcat-util\8.5.16\983daef374b67522b2d50378f06363e684fea39e\tomcat-util-8.5.16.jar
MD5: 9e803b14acdb386feb91ca297a7549dc
SHA1: 983daef374b67522b2d50378f06363e684fea39e
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Vulnerable Software & Versions:
Description: The Woden project is a subproject of the Apache Web Services Project to develop a Java class library for reading, manipulating, creating and writing WSDL documents, initially to support WSDL 2.0 but with the longer term aim of supporting past, present and future versions of WSDL. There are two main deliverables: an API and an implementation. The Woden API consists of a set of Java interfaces. The WSDL 2.0-specific portion of the Woden API conforms to the W3C WSDL 2.0 specification. The implementation will be a high performance implementation directly usable in other Apache projects such as Axis2.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.woden\woden-core\1.0M10\ffed89bc39eb7fce6b74765b3417c6844d8003a2\woden-core-1.0M10.jar
Description: The Axiom API
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-api\1.2.17\aaf2a6028822dd3d55a4221188ecb73d4c9e219a\axiom-api-1.2.17.jar
Description: The default implementation of the Axiom API.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-impl\1.2.17\6df316d52cfd9efc4ee155b4dff0125769af1580\axiom-impl-1.2.17.jar
Description:
This is a small collection of utility classes, that allow high performance XML
processing based on SAX. Basically, it is assumed, that you are using an JAXP
1.1 compliant XML parser and nothing else. In particular, no dependency on the
javax.xml.transform package is introduced.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ws.commons.util\ws-commons-util\1.0.2\3f478e6def772c19d1053f61198fa1f6a6119238\ws-commons-util-1.0.2.jar
Description: Commons XMLSchema is a light weight schema object model that can be used to manipulate or
generate XML schema.
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ws.xmlschema\xmlschema-core\2.2.1\2eff1f3776590d4c51cc735eab2143c497329f2\xmlschema-core-2.2.1.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlbeans\xmlbeans\2.6.0\29e80d2dd51f9dcdef8f9ffaee0d4dc1c9bbfc87\xmlbeans-2.6.0.jar
MD5: 6591c08682d613194dacb01e95c78c2c
SHA1: 29e80d2dd51f9dcdef8f9ffaee0d4dc1c9bbfc87
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-anim\1.8\68197dfa3643a906ba250025a03dc42e6efe2dec\batik-anim-1.8.jar
MD5: 2df85ee1fb9645c9ace7a13505b7f860
SHA1: 68197dfa3643a906ba250025a03dc42e6efe2dec
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-awt-util\1.8\5cd7f97060cdfab0139e70504962d48ceee71ef2\batik-awt-util-1.8.jar
MD5: 920f49ba45ad671a3827771ffb8271e9
SHA1: 5cd7f97060cdfab0139e70504962d48ceee71ef2
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-bridge\1.8\4ab4110b0ed4650ef50d4a344f0ca5c027f3283a\batik-bridge-1.8.jar
MD5: ad81e06a8bfa1a6fe323fdf9ae062122
SHA1: 4ab4110b0ed4650ef50d4a344f0ca5c027f3283a
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-css\1.8\2b3f22cc65702a0821b7f0178d055282a1cdde59\batik-css-1.8.jar
MD5: 958c61e42f99ef67d3c91dcb57defc4d
SHA1: 2b3f22cc65702a0821b7f0178d055282a1cdde59
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-dom\1.8\4e696cf01cee52e8c4f86c842b5d8314e689209c\batik-dom-1.8.jar
MD5: c65a43a99108aa892f0824982f7f2560
SHA1: 4e696cf01cee52e8c4f86c842b5d8314e689209c
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-ext\1.8\8713f3238cfac337624a90c3ad7d45d7bc6fb1b5\batik-ext-1.8.jar
MD5: a5d1350e2df7e272efe0dc446d757754
SHA1: 8713f3238cfac337624a90c3ad7d45d7bc6fb1b5
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-extension\1.8\c5e9e1f07a65c89d2be92fd63e1b0f64357a46db\batik-extension-1.8.jar
MD5: d4a1e2f096fac94ee6363a1e2caf121e
SHA1: c5e9e1f07a65c89d2be92fd63e1b0f64357a46db
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-gvt\1.8\fbde4cd3c43001c162446cf43093d09fda346e11\batik-gvt-1.8.jar
MD5: b8396b47285335c1622b4eb4854d406b
SHA1: fbde4cd3c43001c162446cf43093d09fda346e11
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-parser\1.8\86ec4ab0c828b570d0ccbeba14f85ac011a333f2\batik-parser-1.8.jar
MD5: 153e8de1747f7b02b29711d831e01ebd
SHA1: 86ec4ab0c828b570d0ccbeba14f85ac011a333f2
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-script\1.8\5bda6a9d45065b184c83c46b64d8002b4e0ab7c7\batik-script-1.8.jar
MD5: a53bc33be936b54252b8e1f40efb9367
SHA1: 5bda6a9d45065b184c83c46b64d8002b4e0ab7c7
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-svg-dom\1.8\97c9d00d08c849066d2359b0f1124f0e82b952c2\batik-svg-dom-1.8.jar
MD5: e8f73ff8c0885f891b0378a417f993a5
SHA1: 97c9d00d08c849066d2359b0f1124f0e82b952c2
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-svggen\1.8\c4684e18303e931845df704f9b9f6995fd770789\batik-svggen-1.8.jar
MD5: 5272d658db91a797d03e5786083e5689
SHA1: c4684e18303e931845df704f9b9f6995fd770789
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-transcoder\1.8\f330b3e9946ff21ddf3ea6d4f58ae44145cfd362\batik-transcoder-1.8.jar
MD5: 64b8ece1cf1cbff76684ec370dbfd48b
SHA1: f330b3e9946ff21ddf3ea6d4f58ae44145cfd362
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-util\1.8\35dcd204f397d6976290ca48ffa0011ba9b7ef43\batik-util-1.8.jar
MD5: f57ff00419b0776fbf670b8126fd06ad
SHA1: 35dcd204f397d6976290ca48ffa0011ba9b7ef43
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\batik-xml\1.8\9bf0ee759fed1e3a2e4ad41819eac69ff4873732\batik-xml-1.8.jar
MD5: 9728f9f46fbff6617f9c63b84a092ffb
SHA1: 9bf0ee759fed1e3a2e4ad41819eac69ff4873732
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\fop\2.1\c78a1013a5de5b49a3fb1c6f3289940f44554cb6\fop-2.1.jar
MD5: 11e45408cf99ad38fc20ff27df44ceef
SHA1: c78a1013a5de5b49a3fb1c6f3289940f44554cb6
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlgraphics\xmlgraphics-commons\2.1\b61132defe1df4e91c1eb0ddf544958c50d358b5\xmlgraphics-commons-2.1.jar
MD5: ed394303ec89fd0604c98208f96a2c2f
SHA1: b61132defe1df4e91c1eb0ddf544958c50d358b5
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlrpc\xmlrpc-client\3.1.2\ca8c57a1c4abc23b75b15ad636b4d20274f021c2\xmlrpc-client-3.1.2.jar
MD5: b2da22fd59a0a6c8cf412f6f50d9880c
SHA1: ca8c57a1c4abc23b75b15ad636b4d20274f021c2
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlrpc\xmlrpc-common\3.1.2\a8b0084839aee2f48113b3dc2517b8022a5fbc0f\xmlrpc-common-3.1.2.jar
MD5: 4037cace113e54ff20222a43cdc4b65d
SHA1: a8b0084839aee2f48113b3dc2517b8022a5fbc0f
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.xmlrpc\xmlrpc-server\3.1.2\7e5123995d009129af3dfc663d2ec91c6541bf98\xmlrpc-server-3.1.2.jar
MD5: 04e884ead785a63e4ff8bc98f1f961f7
SHA1: 7e5123995d009129af3dfc663d2ec91c6541bf98
Referenced In Projects/Scopes:
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.zookeeper\zookeeper\3.4.6\1b2502e29da1ebaade2357cd1de35a855fa3755\zookeeper-3.4.6.jar
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the "cmd:" batch mode syntax, allows attackers to have unspecified impact via a long command string.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.aspectj\aspectjrt\1.8.0\302d0fe0abba26bbf5f31c3cd5337b3125c744e3\aspectjrt-1.8.0.jar
MD5: 038daf8a4723e6f34cdd2cad7e023e4f
SHA1: 302d0fe0abba26bbf5f31c3cd5337b3125c744e3
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.beanshell\bsh-core\2.0b4\495e25a99e29970ffe8ba0b1d551e1d1a9991fc1\bsh-core-2.0b4.jar
MD5: bab431f0908fde87034f0c34c6cf1e30
SHA1: 495e25a99e29970ffe8ba0b1d551e1d1a9991fc1
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Handling
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.bouncycastle\bcmail-jdk15on\1.52\4995a870400e1554d1c7ed2afcb5d198fae12db9\bcmail-jdk15on-1.52.jar
MD5: 858597d61d2398a895c612f9df913dae
SHA1: 4995a870400e1554d1c7ed2afcb5d198fae12db9
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')
The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.bouncycastle\bcpkix-jdk15on\1.52\b8ffac2bbc6626f86909589c8cc63637cc936504\bcpkix-jdk15on-1.52.jar
MD5: 72104264eec0fd299cca4b07eada5d5b
SHA1: b8ffac2bbc6626f86909589c8cc63637cc936504
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.bouncycastle\bcprov-jdk15on\1.52\88a941faf9819d371e3174b5ed56a3f3f7d73269\bcprov-jdk15on-1.52.jar
MD5: 873ac611cb0d7160c0a3d30eee964454
SHA1: 88a941faf9819d371e3174b5ed56a3f3f7d73269
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.bouncycastle\bctsp-jdk14\1.38\4821122f8390d15f4b5ee652621e2a2bb1f1bf16\bctsp-jdk14-1.38.jar
MD5: 7eb22fff640e0631b6af47ebd6de4924
SHA1: 4821122f8390d15f4b5ee652621e2a2bb1f1bf16
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.ccil.cowan.tagsoup\tagsoup\1.2.1\5584627487e984c03456266d3f8802eb85a9ce97\tagsoup-1.2.1.jar
MD5: ae73a52cdcbec10cd61d9ef22fab5936
SHA1: 5584627487e984c03456266d3f8802eb85a9ce97
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.codeartisans.thirdparties.swing\batik-all\1.8pre-r1084380\2898c85b844ad4db731d8dbd7bac395bece5bead\batik-all-1.8pre-r1084380.jar
MD5: 6b971c2c943d0d398744774c3df092bc
SHA1: 2898c85b844ad4db731d8dbd7bac395bece5bead
Referenced In Projects/Scopes:
Description: Groovy Runtime
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.groovy\groovy-all\2.4.12\760afc568cbd94c09d78f801ce51aed1326710af\groovy-all-2.4.12.jar
MD5: dddb0b3d3619875fa1c538c743ae8f99
SHA1: 760afc568cbd94c09d78f801ce51aed1326710af
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.
Vulnerable Software & Versions:
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.jackson\jackson-core-asl\1.9.13\3c304d70f42f832e0a86d45bd437f692129299a4\jackson-core-asl-1.9.13.jar
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.jackson\jackson-mapper-asl\1.9.13\1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7\jackson-mapper-asl-1.9.13.jar
Description: Janino is a super-small, super-fast Java compiler.
License:
http://dist.codehaus.org/janino/new_bsd_license.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.janino\commons-compiler\2.7.6\b71e76d942b33dfa26e4e3047ff2a774d1f917b4\commons-compiler-2.7.6.jar
Description: Janino is a super-small, super-fast Java compiler.
License:
http://dist.codehaus.org/janino/new_bsd_license.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.janino\janino\2.7.6\37fde5de7edd5d7ebe075f03f4c083df2ac73dd8\janino-2.7.6.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.mojo\animal-sniffer-annotations\1.14\775b7e22fb10026eed3f86e8dc556dfafe35f2d5\animal-sniffer-annotations-1.14.jar
MD5: 9d42e46845c874f1710a9f6a741f6c14
SHA1: 775b7e22fb10026eed3f86e8dc556dfafe35f2d5
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.plexus\plexus-utils\1.5.6\8fb6b798a4036048b3005e058553bf21a87802ed\plexus-utils-1.5.6.jar
MD5: d6070c2e77ca56adafa953215ddf744b
SHA1: 8fb6b798a4036048b3005e058553bf21a87802ed
Referenced In Projects/Scopes:
Description: tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.woodstox\stax2-api\3.1.4\ac19014b1e6a7c08aad07fe114af792676b685b7\stax2-api-3.1.4.jar
License:
http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.woodstox\woodstox-core-asl\4.4.1\84fee5eb1a4a1cefe65b6883c73b3fa83be3c1a1\woodstox-core-asl-4.4.1.jar
Description:
JHighlight is an embeddable pure Java syntax highlighting
library that supports Java, HTML, XHTML, XML and LZX
languages and outputs to XHTML.
It also supports RIFE templates tags and highlights them
clearly so that you can easily identify the difference
between your RIFE markup and the actual marked up source.
License:
CDDL, v1.0: http://www.opensource.org/licenses/cddl1.php LGPL, v2.1 or later: http://www.opensource.org/licenses/lgpl-license.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.codelibs\jhighlight\1.0.2\992a8a8add10468930efc1f110f2895f68258a1e\jhighlight-1.0.2.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\com.lowagie.text\2.1.7\18d4c7c2014447eacfd00c65c717b3cfc422407b\com.lowagie.text-2.1.7.jar
MD5: af7c1521ab58701d3a0cadc29ef3d15a
SHA1: 18d4c7c2014447eacfd00c65c717b3cfc422407b
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\javax.wsdl\1.5.1\29ec6b1964b05d6ff9728226d2a1e61fab3ac95c\javax.wsdl-1.5.1.jar
MD5: bf0c1e9a2431ee46940855f7c92628d8
SHA1: 29ec6b1964b05d6ff9728226d2a1e61fab3ac95c
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.bridge\1.6.0\e2db6eb9029356884f123a60e9b72a51919e9a6f\org.apache.batik.bridge-1.6.0.jar
MD5: e0136e6d36f5140dfea96ff1f3fea441
SHA1: e2db6eb9029356884f123a60e9b72a51919e9a6f
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.css\1.6.0\1e54558f0ad4b78f907f3461c14c7a7a91aecab2\org.apache.batik.css-1.6.0.jar
MD5: a6b1201c835cb3e98733bd3214cb460e
SHA1: 1e54558f0ad4b78f907f3461c14c7a7a91aecab2
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.dom.svg\1.6.0\ce507ddef394d6c6771bc8692c7db6afb1da4fa0\org.apache.batik.dom.svg-1.6.0.jar
MD5: e3093fc8645d18d9241c1db7b9064e32
SHA1: ce507ddef394d6c6771bc8692c7db6afb1da4fa0
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.dom\1.6.0\e9fe8d31ea04c6cd566e35f61524e561821bbe57\org.apache.batik.dom-1.6.0.jar
MD5: d894d215bb57972a2c912016a7c8af26
SHA1: e9fe8d31ea04c6cd566e35f61524e561821bbe57
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.ext.awt\1.6.0\4df20bee143553a89b26bc06411eb4dcf44ec18e\org.apache.batik.ext.awt-1.6.0.jar
MD5: 66ec3f38f8f1ab368acd97dea9d554a5
SHA1: 4df20bee143553a89b26bc06411eb4dcf44ec18e
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.parser\1.6.0\5e6dd459704dd6bd168f1b030cb739872e994339\org.apache.batik.parser-1.6.0.jar
MD5: e9438886ce3c270c3ab3d8a3153607c6
SHA1: 5e6dd459704dd6bd168f1b030cb739872e994339
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.svggen\1.6.0\5cb65af57bdfd093c47b3cf7bc8bb57e10f5451\org.apache.batik.svggen-1.6.0.jar
MD5: 2239ba844d960edd4874475630daf205
SHA1: 05cb65af57bdfd093c47b3cf7bc8bb57e10f5451
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.transcoder\1.6.0\fc5d9326a3195f15781d2fcea862ec1767e30ebf\org.apache.batik.transcoder-1.6.0.jar
MD5: 68731962320372175c3b07cc97ab155b
SHA1: fc5d9326a3195f15781d2fcea862ec1767e30ebf
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.util.gui\1.6.0\6afa9107935bdeede0487c770bb0537b1a341c81\org.apache.batik.util.gui-1.6.0.jar
MD5: 37cc80a8417e17b2f43b85f871b67714
SHA1: 6afa9107935bdeede0487c770bb0537b1a341c81
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.util\1.6.0\74aafd6361820f7e67474e78b16fd4365d1a58a\org.apache.batik.util-1.6.0.jar
MD5: 3db4ec82c64ef8c985a818dc0fcde67e
SHA1: 074aafd6361820f7e67474e78b16fd4365d1a58a
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.batik.xml\1.6.0\8b3fbec88190a39eae4de5088a1199f23526258e\org.apache.batik.xml-1.6.0.jar
MD5: 4291f7898be4dcba99ba8dacfb8e9122
SHA1: 8b3fbec88190a39eae4de5088a1199f23526258e
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.commons.codec\1.3.0\72c73f3729b4ca49dac8691fb5adb194e8595799\org.apache.commons.codec-1.3.0.jar
MD5: e411b9d204b1a91d62b830a86e1f44ff
SHA1: 72c73f3729b4ca49dac8691fb5adb194e8595799
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.xerces\2.9.0\615a1b724b88b81e8a040ec148fd25368f7b48e5\org.apache.xerces-2.9.0.jar
MD5: 99108dc0a0b108c5f3651f97bdc22084
SHA1: 615a1b724b88b81e8a040ec148fd25368f7b48e5
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.xml.resolver\1.2.0\7c9c22053b04772e81dc62d665b202eeae82ae47\org.apache.xml.resolver-1.2.0.jar
MD5: f29e4c1d4936c28395beee34a755f3a6
SHA1: 7c9c22053b04772e81dc62d665b202eeae82ae47
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.apache.xml.serializer\2.7.1\a8508e22414c8e12cdfdc42b25a7c7efa4004556\org.apache.xml.serializer-2.7.1.jar
MD5: 6bfe11d68939f35a28c21d309835adc3
SHA1: a8508e22414c8e12cdfdc42b25a7c7efa4004556
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.mozilla.javascript\1.7.2\b520e18bd357a47deb2e902ce49533564236219b\org.mozilla.javascript-1.7.2.jar
MD5: ec441f8787033e99da1eb599e021dc78
SHA1: b520e18bd357a47deb2e902ce49533564236219b
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.w3c.css.sac\1.3.0\8dfb0e08c19f3b47290096d27ab71ed4f2a5000a\org.w3c.css.sac-1.3.0.jar
MD5: 5e7f05aba6c35250a6f0345a5f9c8ca0
SHA1: 8dfb0e08c19f3b47290096d27ab71ed4f2a5000a
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.w3c.dom.smil\1.0.0\674bdda9162b48419741da833e445e190f33a58a\org.w3c.dom.smil-1.0.0.jar
MD5: c2494764f38da65d09ce0a0444d00dcd
SHA1: 674bdda9162b48419741da833e445e190f33a58a
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\org.w3c.dom.svg\1.1.0\9c6413ed43b4e9ba56982a554e03bd012cc44ed9\org.w3c.dom.svg-1.1.0.jar
MD5: dcf64eb5f94cf993600f30aac878d329
SHA1: 9c6413ed43b4e9ba56982a554e03bd012cc44ed9
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime.3_7_1\Tidy\1\63b1e38f4ca630dbac3d2072cda2a9336914d10c\Tidy-1.jar
MD5: 00418be9ec69f7f9a2dda911a1e77eaf
SHA1: 63b1e38f4ca630dbac3d2072cda2a9336914d10c
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\com.ibm.icu\50.1.1.v201304230130\ff82137ba65f8676355452edc0ca57975d1b69f4\com.ibm.icu-50.1.1.v201304230130.jar
MD5: cc9d48d40fd8c18a2c4603e8403d6df6
SHA1: ff82137ba65f8676355452edc0ca57975d1b69f4
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\javax.xml.stream\1.0.1.v201004272200\3a4f0067058e2aa9af1c6e463bc8a147a99681c0\javax.xml.stream-1.0.1.v201004272200.jar
MD5: dfb3dc47c90f4273c2036aab23ee4fe3
SHA1: 3a4f0067058e2aa9af1c6e463bc8a147a99681c0
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.birt.runtime\4.4.1\d7f5495359184868842e469c1929109a0f69d87a\org.eclipse.birt.runtime-4.4.1.jar
MD5: bf28ed4bebc04a32e84e8982d80fa9fd
SHA1: d7f5495359184868842e469c1929109a0f69d87a
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.contenttype\3.4.200.v20130326-1255\9a032a98b4b139fa91522b10fdc61ffa9864414\org.eclipse.core.contenttype-3.4.200.v20130326-1255.jar
MD5: ae257d3da2fdc3bdd6391fdfcbe9f752
SHA1: 09a032a98b4b139fa91522b10fdc61ffa9864414
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.expressions\3.4.500.v20130515-1343\97cc20cce87af191fc620562ab74b1cde95947fd\org.eclipse.core.expressions-3.4.500.v20130515-1343.jar
MD5: 20da519a750933fa70944f49f2cc8ffd
SHA1: 97cc20cce87af191fc620562ab74b1cde95947fd
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.filesystem\1.4.0.v20130514-1240\e26398a301d91db6516debe38664239481d4b309\org.eclipse.core.filesystem-1.4.0.v20130514-1240.jar
MD5: 7f664cc54d9bc005c089087c867e6899
SHA1: e26398a301d91db6516debe38664239481d4b309
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.jobs\3.6.0.v20140424-0053\e013c919510607d9c8ac5585b66ff4ee5e364ec9\org.eclipse.core.jobs-3.6.0.v20140424-0053.jar
MD5: f9c929dce571e15fb713214d4f067470
SHA1: e013c919510607d9c8ac5585b66ff4ee5e364ec9
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.resources\3.9.1.v20140825-1431\24a0e4b809d9cb102e7bf8123a2844657b916090\org.eclipse.core.resources-3.9.1.v20140825-1431.jar
MD5: 948716ccf019137b26949aab7d2e72f0
SHA1: 24a0e4b809d9cb102e7bf8123a2844657b916090
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.resources\3.9.1.v20140825-1431\24a0e4b809d9cb102e7bf8123a2844657b916090\org.eclipse.core.resources-3.9.1.v20140825-1431.jar\ant_tasks\resources-ant.jar
MD5: 2e3d89f3c01f0deec05a4d04db4b67bd
SHA1: ac97fcd1a043208b58e6ec13c2708e5cbfdf9a55
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.core.runtime\3.9.0.v20130326-1255\47eedfa6e872020604db4b2e1949aa6ca273ac6a\org.eclipse.core.runtime-3.9.0.v20130326-1255.jar
MD5: 0dde7c81b2e6278cdd4a4b4821a54419
SHA1: 47eedfa6e872020604db4b2e1949aa6ca273ac6a
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.apache.derby.dbdefinition\1.0.2.v201107221459\be66d744ac0e8f011055c37eb6c0b0b8de2d0978\org.eclipse.datatools.connectivity.apache.derby.dbdefinition-1.0.2.v201107221459.jar
MD5: 4d3e4a2cbaabc2bfa5aefb557d61ae37
SHA1: be66d744ac0e8f011055c37eb6c0b0b8de2d0978
Referenced In Projects/Scopes:
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.apache.derby\1.0.103.v201212070447\2257789d5761585d498d13bb2269c180c970f28d\org.eclipse.datatools.connectivity.apache.derby-1.0.103.v201212070447.jar
MD5: b9aeb8aeaa0809e9dc4a15388ec82d8f
SHA1: 2257789d5761585d498d13bb2269c180c970f28d
Referenced In Projects/Scopes:
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The password hash generation algorithm in the BUILTIN authentication functionality for Apache Derby before 10.6.1.0 performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Derby before 10.1.2.1 exposes the (1) user and (2) password attributes in cleartext via (a) the RDBNAM parameter of the ACCSEC command and (b) the output of the DatabaseMetaData.getURL function, which allows context-dependent attackers to obtain sensitive information.
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.console.profile\1.0.10.v201109250955\2c338e35fc23603cea9ebaf5177a0c042f38eea1\org.eclipse.datatools.connectivity.console.profile-1.0.10.v201109250955.jar
MD5: 9b8e7f6c69a0bf165645503775af9154
SHA1: 2c338e35fc23603cea9ebaf5177a0c042f38eea1
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.db.generic\1.0.1.v201107221459\4dd3c5554bea2302448e4201167e36e2bf11d383\org.eclipse.datatools.connectivity.db.generic-1.0.1.v201107221459.jar
MD5: 43b6a19ecae85c97702103d4e3aad0e2
SHA1: 4dd3c5554bea2302448e4201167e36e2bf11d383
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.dbdefinition.genericJDBC\1.0.1.v201107221459\1ee4dc13d331d13f2be2f1cb1b62b789c25db9cc\org.eclipse.datatools.connectivity.dbdefinition.genericJDBC-1.0.1.v201107221459.jar
MD5: 6fdf12a21f1fed08aa2588709699aba1
SHA1: 1ee4dc13d331d13f2be2f1cb1b62b789c25db9cc
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda.consumer\3.2.6.v201305170644\45205c69d334dec54f76f8e2a5cacab8accde588\org.eclipse.datatools.connectivity.oda.consumer-3.2.6.v201305170644.jar
MD5: 600a4ccb15bfeb916a514d507e3f6c5d
SHA1: 45205c69d334dec54f76f8e2a5cacab8accde588
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda.design\3.3.6.v201212070447\bce1829458bb7c58200cb72c045d48e82702d0a8\org.eclipse.datatools.connectivity.oda.design-3.3.6.v201212070447.jar
MD5: adda38edf0bc609098de5f74d24de2e3
SHA1: bce1829458bb7c58200cb72c045d48e82702d0a8
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda.flatfile\3.1.8.v201403010906\3c62f783f8ac17aca5250f2a640dfd85c1df9178\org.eclipse.datatools.connectivity.oda.flatfile-3.1.8.v201403010906.jar
MD5: 3e014761ed380e969a586131b8138f5f
SHA1: 3c62f783f8ac17aca5250f2a640dfd85c1df9178
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda.profile\3.2.9.v201403131814\2f795c899dac80982e95c9e2d5413ef88031cdab\org.eclipse.datatools.connectivity.oda.profile-3.2.9.v201403131814.jar
MD5: d6c9ad09ad88bc0daf6b3413d14d546b
SHA1: 2f795c899dac80982e95c9e2d5413ef88031cdab
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.oda\3.4.3.v201405301249\91fa06c7a97275ea799fec9d557fc60def2e443d\org.eclipse.datatools.connectivity.oda-3.4.3.v201405301249.jar
MD5: 27cd0708de3587669ce5757e86d90a42
SHA1: 91fa06c7a97275ea799fec9d557fc60def2e443d
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity.sqm.core\1.2.8.v201401230755\c0d3d79971a815a4db6c5b009ada4f0f1f44e043\org.eclipse.datatools.connectivity.sqm.core-1.2.8.v201401230755.jar
MD5: 95679c586bf2429199ee06a9ad56a618
SHA1: c0d3d79971a815a4db6c5b009ada4f0f1f44e043
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.connectivity\1.2.11.v201401230755\2e2f258cf40953e97423343786eed44aaef5e207\org.eclipse.datatools.connectivity-1.2.11.v201401230755.jar
MD5: c8631d909028582b83a8df2e9691c6b9
SHA1: 2e2f258cf40953e97423343786eed44aaef5e207
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.hsqldb.dbdefinition\1.0.0.v201107221502\aa3214296e97b4dfd14345acea23f2c92e992c36\org.eclipse.datatools.enablement.hsqldb.dbdefinition-1.0.0.v201107221502.jar
MD5: 05e41d890be61af0474adb514358d03c
SHA1: aa3214296e97b4dfd14345acea23f2c92e992c36
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.hsqldb\1.0.0.v201107221502\5f987f4588c989290c038bd70460c36caa972c0b\org.eclipse.datatools.enablement.hsqldb-1.0.0.v201107221502.jar
MD5: 7acc8fad3f0bc091eaa32030fb8cdbf5
SHA1: 5f987f4588c989290c038bd70460c36caa972c0b
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.ibm.db2.luw.dbdefinition\1.0.4.v201107221502\7ba2ad3443244862426b20f2da73bb78c7223287\org.eclipse.datatools.enablement.ibm.db2.luw.dbdefinition-1.0.4.v201107221502.jar
MD5: a3575eef5353ab6e216804bb4b99d36e
SHA1: 7ba2ad3443244862426b20f2da73bb78c7223287
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 9.0
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the UTL_FILE module in IBM DB2 and DB2 Connect 10.1 before FP1 on Windows allows remote authenticated users to modify, delete, or read arbitrary files via a pathname in the file field.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly enforce privilege requirements for table access, which allows remote authenticated users to modify SYSSTAT.TABLES statistics columns via an UPDATE statement. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly revoke role membership from groups, which allows remote authenticated users to execute non-DDL statements by leveraging previous inherited possession of a role, a different vulnerability than CVE-2011-0757. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.5
(AV:L/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in IBM DB2 9.7 before FP5 on UNIX, when the Self Tuning Memory Manager (STMM) feature and the AUTOMATIC DATABASE_MEMORY setting are configured, allows local users to cause a denial of service (daemon crash) via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.1 before FP10, 9.5 before FP6a, and 9.7 before FP2 on Linux, UNIX, and Windows does not properly revoke the DBADM authority, which allows remote authenticated users to execute non-DDL statements by leveraging previous possession of this authority.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the DB2 Administration Server (DAS) component in IBM DB2 9.1 before FP10, 9.5 before FP7, and 9.7 before FP3 on Linux, UNIX, and Windows allows remote attackers to execute arbitrary code via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the REPEAT function in IBM DB2 9.1 before FP9 allows remote authenticated users to cause a denial of service (trap) via unspecified vectors. NOTE: this might overlap CVE-2010-0462.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in db2jds in IBM DB2 8.1 before FP18 allows remote attackers to cause a denial of service (service crash) via "malicious packets."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 8.1 before FP18 allows attackers to obtain unspecified access via a das command.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Memory leak in the Security component in IBM DB2 8.1 before FP18 on Unix platforms allows attackers to cause a denial of service (memory consumption) via unspecified vectors, related to private memory within the DB2 memory structure.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-287 Improper Authentication
The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
IBM DB2 9.1 before FP7 returns incorrect query results in certain situations related to the order of application of an INNER JOIN predicate and an OUTER JOIN predicate, which might allow attackers to obtain sensitive information via a crafted query.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The SORT/LIST SERVICES component in IBM DB2 9.1 before FP6 and 9.5 before FP2 writes sensitive information to the trace output, which allows attackers to obtain sensitive information by reading "PASSWORD-RELATED CONNECTION STRING KEYWORD VALUES."
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
The Native Managed Provider for .NET component in IBM DB2 8 before FP17, 9.1 before FP6, and 9.5 before FP2, when a definer cannot maintain objects, preserves views and triggers without marking them inoperative or dropping them, which has unknown impact and attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the SQLNLS_UNPADDEDCHARLEN function in the New Compiler (aka Starburst derived compiler) component in the server in IBM DB2 9.1 before FP6 allows attackers to cause a denial of service (segmentation violation and trap) via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM DB2 UDB 8.1 before FixPak 16, 8.2 before FixPak 9, and 9.1 before FixPak 4a allows remote attackers to cause a denial of service (instance crash) via a crafted SQLJRA packet within a CONNECT/ATTACH data stream that simulates a V7 client connect/attach request.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
IBM DB2 UDB 8 before Fixpak 17 allows remote attackers to cause a denial of service (instance crash) via a crafted CONNECT/ATTACH data stream that simulates a V7 client connect/attach request. NOTE: this may overlap CVE-2008-3858. NOTE: this issue exists because of an incomplete fix for CVE-2008-3959.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 8.5
(AV:N/AC:M/Au:S/C:C/I:C/A:C)
The NNSTAT (aka SYSPROC.NNSTAT) procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 on Windows allows remote authenticated users to overwrite arbitrary files via the log file parameter.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Unspecified vulnerability in the ADMIN_SP_C procedure (SYSPROC.ADMIN_SP_C) in IBM DB2 UDB before 8.2 Fixpak 16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unspecified attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
IBM DB2 UDB 9.1 before Fixpak 4 does not properly manage storage of a list containing authentication information, which might allow attackers to cause a denial of service (instance crash) or trigger memory corruption. NOTE: the vendor description of this issue is too vague to be certain that it is security-related.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Unspecified vulnerability in IBM Rational ClearQuest (CQ), when a Microsoft SQL Server or an IBM DB2 database is used, allows attackers to corrupt data via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-399 Resource Management Errors
IBM DB2 Universal Database (UDB) Administration Server (DAS) 8 before Fix Pack 16 and 9 before Fix Pack 4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via modified pointer values in unspecified remote administration requests, which triggers memory corruption or other invalid memory access. NOTE: this might be the same issue as CVE-2008-0698.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the DB2 JDBC Applet Server (DB2JDS) service in IBM DB2 9.x and earlier allow remote attackers to (1) execute arbitrary code via a crafted packet to the DB2JDS service on tcp/6789; and cause a denial of service via (2) an invalid LANG parameter or (2) a long packet that generates a "MemTree overflow."
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.ibm.db2.luw\1.0.2.v201107221502\3e9920ed389a8eba9ba8ce46d0c0e8ac6da5b41d\org.eclipse.datatools.enablement.ibm.db2.luw-1.0.2.v201107221502.jar
MD5: e38c42056dcd4e9928c7f477d936a919
SHA1: 3e9920ed389a8eba9ba8ce46d0c0e8ac6da5b41d
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 9.0
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the UTL_FILE module in IBM DB2 and DB2 Connect 10.1 before FP1 on Windows allows remote authenticated users to modify, delete, or read arbitrary files via a pathname in the file field.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:N/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly enforce privilege requirements for table access, which allows remote authenticated users to modify SYSSTAT.TABLES statistics columns via an UPDATE statement. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.5 before FP7 and 9.7 before FP4 on Linux, UNIX, and Windows does not properly revoke role membership from groups, which allows remote authenticated users to execute non-DDL statements by leveraging previous inherited possession of a role, a different vulnerability than CVE-2011-0757. NOTE: some of these details are obtained from third party information.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 1.5
(AV:L/AC:M/Au:S/C:N/I:N/A:P)
Unspecified vulnerability in IBM DB2 9.7 before FP5 on UNIX, when the Self Tuning Memory Manager (STMM) feature and the AUTOMATIC DATABASE_MEMORY setting are configured, allows local users to cause a denial of service (daemon crash) via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 9.1 before FP10, 9.5 before FP6a, and 9.7 before FP2 on Linux, UNIX, and Windows does not properly revoke the DBADM authority, which allows remote authenticated users to execute non-DDL statements by leveraging previous possession of this authority.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the DB2 Administration Server (DAS) component in IBM DB2 9.1 before FP10, 9.5 before FP7, and 9.7 before FP3 on Linux, UNIX, and Windows allows remote attackers to execute arbitrary code via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the REPEAT function in IBM DB2 9.1 before FP9 allows remote authenticated users to cause a denial of service (trap) via unspecified vectors. NOTE: this might overlap CVE-2010-0462.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in db2jds in IBM DB2 8.1 before FP18 allows remote attackers to cause a denial of service (service crash) via "malicious packets."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
IBM DB2 8.1 before FP18 allows attackers to obtain unspecified access via a das command.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Memory leak in the Security component in IBM DB2 8.1 before FP18 on Unix platforms allows attackers to cause a denial of service (memory consumption) via unspecified vectors, related to private memory within the DB2 memory structure.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:P/I:N/A:N)
CWE: CWE-287 Improper Authentication
The Common Code Infrastructure component in IBM DB2 8 before FP17, 9.1 before FP7, and 9.5 before FP4, when LDAP security (aka IBMLDAPauthserver) and anonymous bind are enabled, allows remote attackers to bypass password authentication and establish a database connection via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
IBM DB2 9.1 before FP7 returns incorrect query results in certain situations related to the order of application of an INNER JOIN predicate and an OUTER JOIN predicate, which might allow attackers to obtain sensitive information via a crafted query.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The SORT/LIST SERVICES component in IBM DB2 9.1 before FP6 and 9.5 before FP2 writes sensitive information to the trace output, which allows attackers to obtain sensitive information by reading "PASSWORD-RELATED CONNECTION STRING KEYWORD VALUES."
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
The Native Managed Provider for .NET component in IBM DB2 8 before FP17, 9.1 before FP6, and 9.5 before FP2, when a definer cannot maintain objects, preserves views and triggers without marking them inoperative or dropping them, which has unknown impact and attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Unspecified vulnerability in the SQLNLS_UNPADDEDCHARLEN function in the New Compiler (aka Starburst derived compiler) component in the server in IBM DB2 9.1 before FP6 allows attackers to cause a denial of service (segmentation violation and trap) via unknown vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM DB2 UDB 8.1 before FixPak 16, 8.2 before FixPak 9, and 9.1 before FixPak 4a allows remote attackers to cause a denial of service (instance crash) via a crafted SQLJRA packet within a CONNECT/ATTACH data stream that simulates a V7 client connect/attach request.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
IBM DB2 UDB 8 before Fixpak 17 allows remote attackers to cause a denial of service (instance crash) via a crafted CONNECT/ATTACH data stream that simulates a V7 client connect/attach request. NOTE: this may overlap CVE-2008-3858. NOTE: this issue exists because of an incomplete fix for CVE-2008-3959.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 8.5
(AV:N/AC:M/Au:S/C:C/I:C/A:C)
The NNSTAT (aka SYSPROC.NNSTAT) procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 on Windows allows remote authenticated users to overwrite arbitrary files via the log file parameter.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 9.0
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Unspecified vulnerability in the ADMIN_SP_C procedure (SYSPROC.ADMIN_SP_C) in IBM DB2 UDB before 8.2 Fixpak 16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unspecified attack vectors.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.8
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
IBM DB2 UDB 9.1 before Fixpak 4 does not properly manage storage of a list containing authentication information, which might allow attackers to cause a denial of service (instance crash) or trigger memory corruption. NOTE: the vendor description of this issue is too vague to be certain that it is security-related.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Unspecified vulnerability in IBM Rational ClearQuest (CQ), when a Microsoft SQL Server or an IBM DB2 database is used, allows attackers to corrupt data via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-399 Resource Management Errors
IBM DB2 Universal Database (UDB) Administration Server (DAS) 8 before Fix Pack 16 and 9 before Fix Pack 4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via modified pointer values in unspecified remote administration requests, which triggers memory corruption or other invalid memory access. NOTE: this might be the same issue as CVE-2008-0698.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the DB2 JDBC Applet Server (DB2JDS) service in IBM DB2 9.x and earlier allow remote attackers to (1) execute arbitrary code via a crafted packet to the DB2JDS service on tcp/6789; and cause a denial of service via (2) an invalid LANG parameter or (2) a long packet that generates a "MemTree overflow."
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.ibm.informix.dbdefinition\1.0.4.v201107221502\1587982c1ed42ca42e1fe02f1a3baf1faa4bcbb2\org.eclipse.datatools.enablement.ibm.informix.dbdefinition-1.0.4.v201107221502.jar
MD5: bd94b57db3ac938c9a517371dd9e8923
SHA1: 1587982c1ed42ca42e1fe02f1a3baf1faa4bcbb2
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.ibm.informix\1.0.1.v201107221502\8c1d7354580604905a00c7d9acce3fbc5696b537\org.eclipse.datatools.enablement.ibm.informix-1.0.1.v201107221502.jar
MD5: 9ffbdc7f0a83fbbb1d64cb3b9578e3fa
SHA1: 8c1d7354580604905a00c7d9acce3fbc5696b537
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.msft.sqlserver.dbdefinition\1.0.1.v201201240505\d18a0cca80deb6331f1caffea5abc8fa34e2060e\org.eclipse.datatools.enablement.msft.sqlserver.dbdefinition-1.0.1.v201201240505.jar
MD5: 4b552c372d4c69ed407bdc1bf5abbc9a
SHA1: d18a0cca80deb6331f1caffea5abc8fa34e2060e
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.msft.sqlserver\1.0.2.v201212120617\bff9658c0858cea81b373f1488274a1d9d200cc6\org.eclipse.datatools.enablement.msft.sqlserver-1.0.2.v201212120617.jar
MD5: 17b87437049e6d36e46af23c8e4faac8
SHA1: bff9658c0858cea81b373f1488274a1d9d200cc6
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.mysql.dbdefinition\1.0.4.v201109022331\7b1abc387591d4a9427bb13344243a220a5d751b\org.eclipse.datatools.enablement.mysql.dbdefinition-1.0.4.v201109022331.jar
MD5: dfa223ea33f41fe22cf29c3e57248628
SHA1: 7b1abc387591d4a9427bb13344243a220a5d751b
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.1.28 and earlier, allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL pointer dereference in the Item_singlerow_subselect::store function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a join query that uses a table with a unique SET column.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.6
(AV:L/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL 5.1 before 5.1.46 does not check privileges before uninstalling a plugin, which allows remote attackers to uninstall arbitrary plugins via the UNINSTALL PLUGIN command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 allows remote authenticated users to cause a denial of service (crash) via "an XPath expression employing a scalar expression as a FilterExpr with ExtractValue() or UpdateXML()," which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:N/I:P/A:P)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:N/I:N/A:P)
MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
sql_select.cc in MySQL 5.0.x before 5.0.32 and 5.1.x before 5.1.14 allows remote authenticated users to cause a denial of service (crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table, as originally demonstrated using ORDER BY.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:N/I:N/A:P)
MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows attackers to cause a denial of service (crash or hang) via multiple threads that simultaneously alter MERGE table UNIONs.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the mysql_real_connect function in MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows remote DNS servers to cause a denial of service and possibly execute arbitrary code via a DNS response with a large address length (h_length).
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:H/Au:N/C:N/I:P/A:P)
Stack-based buffer overflow in the mysql_real_connect function in the MySql client library (libmysqlclient) 4.0.13 and earlier allows local users to execute arbitrary code via a long socket name, a different vulnerability than CVE-2001-1453.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Buffer overflow in MySQL before 3.23.33 allows remote attackers to execute arbitrary code via a long drop database request.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
MySQL before 3.23.31 allows users with a MySQL account to use the SHOW GRANTS command to obtain the encrypted administrator password from the mysql.user table and possibly gain privileges via password cracking.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Buffer overflow in MySQL before 3.23.31 allows attackers to cause a denial of service and possibly gain privileges.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
Directory traversal vulnerability in MySQL before 3.23.36 allows local users to modify arbitrary files and gain privileges by creating a database whose name starts with .. (dot dot).
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.mysql\1.0.4.v201212120617\b8862d790cf4715ce8b1a5c54d9fa9ee2557154f\org.eclipse.datatools.enablement.mysql-1.0.4.v201212120617.jar
MD5: 44f378e79fa8e6401887f374b6a8ebad
SHA1: b8862d790cf4715ce8b1a5c54d9fa9ee2557154f
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 5.5
(AV:N/AC:L/Au:S/C:P/I:P/A:N)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Unspecified vulnerability in the Server component in Oracle MySQL 5.1.66 and earlier, and 5.1.28 and earlier, allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Server Replication.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-255 Credentials Management
Oracle MySQL and MariaDB 5.5.x before 5.5.29, 5.3.x before 5.3.12, and 5.2.x before 5.2.14 does not modify the salt during multiple executions of the change_user command within the same connection which makes it easier for remote authenticated users to conduct brute force password guessing attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL pointer dereference in the Item_singlerow_subselect::store function.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) via a join query that uses a table with a unique SET column.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
MySQL before 5.1.48 allows remote authenticated users with alter database privileges to cause a denial of service (server crash and database loss) via an ALTER DATABASE command with a #mysql50# string followed by a . (dot), .. (dot dot), ../ (dot dot slash) or similar sequence, and an UPGRADE DATA DIRECTORY NAME command, which causes MySQL to move certain directories to the server data directory.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.6
(AV:L/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-59 Improper Link Resolution Before File Access ('Link Following')
MySQL before 5.1.46 allows local users to delete the data and index files of another user's MyISAM table via a symlink attack in conjunction with the DROP TABLE command, a different vulnerability than CVE-2008-4098 and CVE-2008-7247.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The mysql_uninstall_plugin function in sql/sql_plugin.cc in MySQL 5.1 before 5.1.46 does not check privileges before uninstalling a plugin, which allows remote attackers to uninstall arbitrary plugins via the UNINSTALL PLUGIN command.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
The vio_verify_callback function in viosslfactories.c in MySQL 5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used, accepts a value of zero for the depth of X.509 certificates, which allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL servers via a crafted certificate, as demonstrated by a certificate presented by a server linked against the yaSSL library.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
sql/item_xmlfunc.cc in MySQL 5.1 before 5.1.32 and 6.0 before 6.0.10 allows remote authenticated users to cause a denial of service (crash) via "an XPath expression employing a scalar expression as a FilterExpr with ExtractValue() or UpdateXML()," which triggers an assertion failure.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MySQL 4.1.x before 4.1.24, 5.0.x before 5.0.60, 5.1.x before 5.1.24, and 6.0.x before 6.0.5 allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are within the MySQL home data directory, which can point to tables that are created in the future.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The convert_search_mode_to_innobase function in ha_innodb.cc in the InnoDB engine in MySQL 5.1.23-BK and earlier allows remote authenticated users to cause a denial of service (database crash) via a certain CONTAINS operation on an indexed column, which triggers an assertion error.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:N/I:P/A:P)
MySQL before 4.1.23, 5.0.x before 5.0.42, and 5.1.x before 5.1.18 does not require the DROP privilege for RENAME TABLE statements, which allows remote authenticated users to rename arbitrary tables.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
The in_decimal::set function in item_cmpfunc.cc in MySQL before 5.0.40, and 5.1 before 5.1.18-beta, allows context-dependent attackers to cause a denial of service (crash) via a crafted IF clause that results in a divide-by-zero error and a NULL pointer dereference.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:N/I:N/A:P)
MySQL 5.x before 5.0.36 allows local users to cause a denial of service (database crash) by performing information_schema table subselects and using ORDER BY to sort a single-row result, which prevents certain structure elements from being initialized and triggers a NULL dereference in the filesort function.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
sql_select.cc in MySQL 5.0.x before 5.0.32 and 5.1.x before 5.1.14 allows remote authenticated users to cause a denial of service (crash) via an EXPLAIN SELECT FROM on the INFORMATION_SCHEMA table, as originally demonstrated using ORDER BY.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 2.6
(AV:N/AC:H/Au:N/C:N/I:N/A:P)
MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows attackers to cause a denial of service (crash or hang) via multiple threads that simultaneously alter MERGE table UNIONs.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the mysql_real_connect function in MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows remote DNS servers to cause a denial of service and possibly execute arbitrary code via a DNS response with a large address length (h_length).
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:H/Au:N/C:N/I:P/A:P)
Stack-based buffer overflow in the mysql_real_connect function in the MySql client library (libmysqlclient) 4.0.13 and earlier allows local users to execute arbitrary code via a long socket name, a different vulnerability than CVE-2001-1453.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Buffer overflow in MySQL before 3.23.33 allows remote attackers to execute arbitrary code via a long drop database request.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
MySQL before 3.23.31 allows users with a MySQL account to use the SHOW GRANTS command to obtain the encrypted administrator password from the mysql.user table and possibly gain privileges via password cracking.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Buffer overflow in MySQL before 3.23.31 allows attackers to cause a denial of service and possibly gain privileges.
Vulnerable Software & Versions:
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
Directory traversal vulnerability in MySQL before 3.23.36 allows local users to modify arbitrary files and gain privileges by creating a database whose name starts with .. (dot dot).
Vulnerable Software & Versions:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.oda.ws\1.2.6.v201403131825\cc7814580f2fb5890c54681fec0f98b3e1386b51\org.eclipse.datatools.enablement.oda.ws-1.2.6.v201403131825.jar
MD5: f38bc06778ddbd8297a522d6907f780b
SHA1: cc7814580f2fb5890c54681fec0f98b3e1386b51
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.oda.xml\1.2.5.v201305031101\b5be50518c251d4c022959aeb6f871d6fea33fcc\org.eclipse.datatools.enablement.oda.xml-1.2.5.v201305031101.jar
MD5: 58849f828c50fff8ef3e9be4ac636508
SHA1: b5be50518c251d4c022959aeb6f871d6fea33fcc
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.oracle.dbdefinition\1.0.103.v201206010214\af90f9d09101fb165a260896477c01385b6c8fd1\org.eclipse.datatools.enablement.oracle.dbdefinition-1.0.103.v201206010214.jar
MD5: f7cd9df4d5a76c851f3097996214862b
SHA1: af90f9d09101fb165a260896477c01385b6c8fd1
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.oracle\1.0.0.v201107221506\5628f462cfa241fff7b11f1df4c21802f174dd08\org.eclipse.datatools.enablement.oracle-1.0.0.v201107221506.jar
MD5: 4be65c4c38bee9128501d3169da945b2
SHA1: 5628f462cfa241fff7b11f1df4c21802f174dd08
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.postgresql.dbdefinition\1.0.2.v201110070445\8021bc614192f060a880cc407aba8adcfea6fb7f\org.eclipse.datatools.enablement.postgresql.dbdefinition-1.0.2.v201110070445.jar
MD5: 505940588e48631bd378b83030fa966e
SHA1: 8021bc614192f060a880cc407aba8adcfea6fb7f
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-476 NULL Pointer Dereference
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
PostgreSQL PL/Java after 9.0 does not honor access controls on large objects.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 9.0
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-200 Information Exposure
The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.enablement.postgresql\1.1.1.v201205252207\ddd733b059a41aa86aceed5344d1b4799802f5c0\org.eclipse.datatools.enablement.postgresql-1.1.1.v201205252207.jar
MD5: 0e1243739661726d3a98234922777ee9
SHA1: ddd733b059a41aa86aceed5344d1b4799802f5c0
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:N/AC:H/Au:S/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-476 NULL Pointer Dereference
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
PostgreSQL PL/Java after 9.0 does not honor access controls on large objects.
Vulnerable Software & Versions:
Severity:
High
CVSS Score: 9.0
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
CWE: CWE-200 Information Exposure
The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.9
(AV:N/AC:M/Au:S/C:P/I:P/A:N)
CWE: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
Vulnerable Software & Versions: (show all)
Severity:
Low
CVSS Score: 3.5
(AV:N/AC:M/Au:S/C:N/I:N/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors
The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.modelbase.dbdefinition\1.0.2.v201107221519\725b5a9cbd280b8e6c9a6fd32cbe44bf1aae10a3\org.eclipse.datatools.modelbase.dbdefinition-1.0.2.v201107221519.jar
MD5: 8bf72752aec7975cbe3fc13a56137975
SHA1: 725b5a9cbd280b8e6c9a6fd32cbe44bf1aae10a3
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.modelbase.derby\1.0.0.v201107221519\93018a0f0e585dd4ceb70e849570d6143034273a\org.eclipse.datatools.modelbase.derby-1.0.0.v201107221519.jar
MD5: 690932e0843d8a64619cc8a9b8e39408
SHA1: 93018a0f0e585dd4ceb70e849570d6143034273a
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.modelbase.sql.query\1.1.4.v201212120619\663bfc41efd6030a37f7e6e7baf3b259606c1bcc\org.eclipse.datatools.modelbase.sql.query-1.1.4.v201212120619.jar
MD5: c5bdb5c33253c78e9cf3fceb476357f2
SHA1: 663bfc41efd6030a37f7e6e7baf3b259606c1bcc
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.datatools.modelbase.sql\1.0.6.v201208230744\731de727a1154c562038b045fa247716f68e93fe\org.eclipse.datatools.modelbase.sql-1.0.6.v201208230744.jar
MD5: b73d784c71179bd2ab08499c373cd2c0
SHA1: 731de727a1154c562038b045fa247716f68e93fe
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf.common\2.10.1.v20140901-1043\4a9dbfa87401190c710c16dcbbc7a2ea7cc3ff70\org.eclipse.emf.common-2.10.1.v20140901-1043.jar
MD5: df980d426f472a019fe8c58f1f420a0b
SHA1: 4a9dbfa87401190c710c16dcbbc7a2ea7cc3ff70
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf.ecore.change\2.10.0.v20140901-1043\c42c134004940345d45bf8367dae63c871a2420f\org.eclipse.emf.ecore.change-2.10.0.v20140901-1043.jar
MD5: 374a1da708946f84e519eeed88f7062b
SHA1: c42c134004940345d45bf8367dae63c871a2420f
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf.ecore.xmi\2.10.1.v20140901-1043\2a524cbae6c0ad0410c89270eb928ad90f75c95e\org.eclipse.emf.ecore.xmi-2.10.1.v20140901-1043.jar
MD5: 47a6f6ebfb8ae5ed9c82360f8d670683
SHA1: 2a524cbae6c0ad0410c89270eb928ad90f75c95e
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf.ecore\2.10.1.v20140901-1043\2da5a93e1d6eb2b6f78f215accc3304209b26104\org.eclipse.emf.ecore-2.10.1.v20140901-1043.jar
MD5: 28268d1878d5c7fc0248e1d24ca372db
SHA1: 2da5a93e1d6eb2b6f78f215accc3304209b26104
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.emf\2.6.0.v20140901-1055\11d8c54ef675a951256777a9f36ebf7e1646ffd6\org.eclipse.emf-2.6.0.v20140901-1055.jar
MD5: 9a377c1c93e9f69918196678d59a8ca8
SHA1: 11d8c54ef675a951256777a9f36ebf7e1646ffd6
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.equinox.app\1.3.100.v20130327-1442\cfe0deab8c3c4f4caea3767bc8bbaa4789b8f782\org.eclipse.equinox.app-1.3.100.v20130327-1442.jar
MD5: 2f4d4cc26c71bd7383fd9b7762ed57ae
SHA1: cfe0deab8c3c4f4caea3767bc8bbaa4789b8f782
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.equinox.common\3.6.200.v20130402-1505\550778d95ea4d5f2fee765e85eb799cec21067e0\org.eclipse.equinox.common-3.6.200.v20130402-1505.jar
MD5: 551dd5efb955af78e2794fb67a30be0c
SHA1: 550778d95ea4d5f2fee765e85eb799cec21067e0
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.equinox.preferences\3.5.100.v20130422-1538\bc48b6b0c00898d5eb2cbd6024fc0235ae04f3d2\org.eclipse.equinox.preferences-3.5.100.v20130422-1538.jar
MD5: fc94bbfa2dcfe6b40cefce0f5a305f3a
SHA1: bc48b6b0c00898d5eb2cbd6024fc0235ae04f3d2
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.equinox.registry\3.5.400.v20140428-1507\897775850f15e1595464bbff11562583b8132499\org.eclipse.equinox.registry-3.5.400.v20140428-1507.jar
MD5: b31d9c600f764fdcafacdef1ba72cb91
SHA1: 897775850f15e1595464bbff11562583b8132499
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.orbit.mongodb\2.10.1.v20130422-1135\98f0232dc80679a3f5c1effe15344dc7ceac98dc\org.eclipse.orbit.mongodb-2.10.1.v20130422-1135.jar
MD5: aeb824a874797d3ce55dec345ab6d44c
SHA1: 98f0232dc80679a3f5c1effe15344dc7ceac98dc
Referenced In Projects/Scopes:
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files.
Vulnerable Software & Versions:
Severity:
Low
CVSS Score: 2.1
(AV:L/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-287 Improper Authentication
MongoDB on Red Hat Satellite 6 allows local users to bypass authentication by logging in with an empty password and delete information which can cause a Denial of Service.
Vulnerable Software & Versions:
Description: %osgiServicesDes
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.osgi.services\3.3.100.v20130513-1956\1d73531fac5372870373a06193985611b1239f0c\org.eclipse.osgi.services-3.3.100.v20130513-1956.jar
MD5: 7f7d4198812b01cb7c5a26399af7706f
SHA1: 1d73531fac5372870373a06193985611b1239f0c
Referenced In Projects/Scopes:
Description: %systemBundle
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.osgi\3.10.1.v20140909-1633\e6a47e8e3edaf8b3cf74a1d5540a9c91369fb28a\org.eclipse.osgi-3.10.1.v20140909-1633.jar
MD5: 07e3c874013c7228107c5e0f61a942f5
SHA1: e6a47e8e3edaf8b3cf74a1d5540a9c91369fb28a
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\org.eclipse.update.configurator\3.3.200.v20130326-1319\4375455f2f0bd4f014e79758bbb3d4b7340e2943\org.eclipse.update.configurator-3.3.200.v20130326-1319.jar
MD5: 6af0b597ad8ab9b35422f6170e31b594
SHA1: 4375455f2f0bd4f014e79758bbb3d4b7340e2943
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.birt.runtime\viewservlets\4.5.0\59c773f6cd138d08b18c47ed2c1581283f573fd\viewservlets-4.5.0.jar
MD5: fca067702a5dcaaa9715924cbd616735
SHA1: 059c773f6cd138d08b18c47ed2c1581283f573fd
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jdt\ecj\3.12.3\ade950992eb3caf6ab4f1a88706c755f0bf213d9\ecj-3.12.3.jar
MD5: 33e190a0f0745306de54fba90f381fc3
SHA1: ade950992eb3caf6ab4f1a88706c755f0bf213d9
Referenced In Projects/Scopes:
Description: Asynchronous API
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-continuation\9.3.14.v20161028\4ba272cee2e367766dfdc1901c960de352160d41\jetty-continuation-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: Jetty deployers
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-deploy\9.3.14.v20161028\f2aae796f4643180b4e4a159dafc4403e6b25ca7\jetty-deploy-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: Jetty module for Jetty :: Http Utility
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-http\9.3.14.v20161028\ea3800883f79f757b2635a737bb71bb21e90cf19\jetty-http-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: Jetty module for Jetty :: IO Utility
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-io\9.3.14.v20161028\52d796b58c3a997e59e6b47c4bf022cedcba3514\jetty-io-9.3.14.v20161028.jar
Description: JMX management artifact for jetty.
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-jmx\9.3.14.v20161028\d4829a57973c36f117792455024684bb6a5202aa\jetty-jmx-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: Jetty Rewrite Handler
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-rewrite\9.3.14.v20161028\823899b9456b3337422e0d98851cfe7842ef2516\jetty-rewrite-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: Jetty security infrastructure
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-security\9.3.14.v20161028\68be91fa1bcc82eed1709d36e6a85db7d5aff331\jetty-security-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: The core jetty server artifact.
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-server\9.3.14.v20161028\791df6c55ad62841ff518ba6634e905a95567260\jetty-server-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: Jetty Servlet Container
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlet\9.3.14.v20161028\b5714a6005387b2a361d5b39a3a37d4df1892e62\jetty-servlet-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: Utility Servlets from Jetty
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-servlets\9.3.14.v20161028\6f49da101a1c3cd1ccd78ac38391bbc36619658e\jetty-servlets-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: Utility classes for Jetty
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-util\9.3.14.v20161028\fbf89f6f3b995992f82ec09104ab9a75d31d281b\jetty-util-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: Jetty web application support
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-webapp\9.3.14.v20161028\c9ad20bd632ffe1d8e4631f2ed185310db258f48\jetty-webapp-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
Description: The jetty xml utilities.
License:
http://www.apache.org/licenses/LICENSE-2.0, http://www.eclipse.org/org/documents/epl-v10.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.eclipse.jetty\jetty-xml\9.3.14.v20161028\3054375490c577ee6156a4b63ec262a39b36fc7e\jetty-xml-9.3.14.v20161028.jar
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Vulnerable Software & Versions:
License:
Apache License, Version 2.0; see: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.freemarker\freemarker\2.3.25-incubating\9b31ed0d0321dfc1ae7ce63f2557df04b52a79e3\freemarker-2.3.25-incubating.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.gagravarr\vorbis-java-core\0.6\71deedbdfe6a1b0dcadd6c5ae335e3e9b427524c\vorbis-java-core-0.6.jar
MD5: 724a557bf19d77f362b41f2796be158c
SHA1: 71deedbdfe6a1b0dcadd6c5ae335e3e9b427524c
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.gagravarr\vorbis-java-tika\0.6\be5b08ff4c45632975646f286a1d13e325bec59a\vorbis-java-tika-0.6.jar
MD5: 9906a3a825381c64756962ebe99df47b
SHA1: be5b08ff4c45632975646f286a1d13e325bec59a
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Vulnerable Software & Versions:
Description:
QDox is a high speed, small footprint parser for extracting class/interface/method definitions from source files
complete with JavaDoc @tags. It is designed to be used by active code generators or documentation tools.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.hamcrest\hamcrest-all\1.3\63a21ebc981131004ad02e0434e799fd7f3a8d5a\hamcrest-all-1.3.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.hamcrest\hamcrest-core\1.1\860340562250678d1a344907ac75754e259cdb14\hamcrest-core-1.1.jar
MD5: b66d0c48e1f1dc54d4227db52512c15b
SHA1: 860340562250678d1a344907ac75754e259cdb14
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.hamcrest\hamcrest-core\1.3\42a25dc3219429f0e5d060061f71acb49bf010a0\hamcrest-core-1.3.jar
MD5: 6393363b47ddcbba82321110c3e07519
SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0
Referenced In Project/Scope:
junitReport
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.hibernate\ejb3-persistence\1.0.1.GA\f502b2c96c95e087435c79d3d6c9aa85bb1154bc\ejb3-persistence-1.0.1.GA.jar
MD5: d46c8f0555d95027269259dd04f6b10c
SHA1: f502b2c96c95e087435c79d3d6c9aa85bb1154bc
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.hibernate\hibernate-annotations\3.3.1.GA\2083b277c76037253189d17e68ba86d2da478440\hibernate-annotations-3.3.1.GA.jar
MD5: ac93aaf6dad9f72e1ca73eb4069b4cd0
SHA1: 2083b277c76037253189d17e68ba86d2da478440
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.hibernate\hibernate-commons-annotations\3.0.0.ga\c8f53732fe3b75935f0550bdc3ba92bc9345360f\hibernate-commons-annotations-3.0.0.ga.jar
MD5: 1ccefbe43fedffc16835ceb1a777d199
SHA1: c8f53732fe3b75935f0550bdc3ba92bc9345360f
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.hibernate\hibernate\3.2.6.ga\dd982c3d5c28c956aa4fa9112258cb3013606ddd\hibernate-3.2.6.ga.jar
MD5: 5fc853b674c28384719ad7f846ea4dce
SHA1: dd982c3d5c28c956aa4fa9112258cb3013606ddd
Referenced In Projects/Scopes:
Description: Inspektr Core
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.inspektr\inspektr-core\0.7.0\1d6851b0970de19593e8cdcbf7e593ca5c2db324\inspektr-core-0.7.0.jar
MD5: 36528ac75d74ab43a13aad6055146d60
SHA1: 1d6851b0970de19593e8cdcbf7e593ca5c2db324
Referenced In Projects/Scopes:
Description: jbzip2 is a Java bzip2 compression/decompression library. It can be used as a replacement for the Apache CBZip2InputStream / CBZip2OutputStream classes.
License:
MIT License (MIT): http://opensource.org/licenses/mit-license.phpFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.itadaki\bzip2\0.9.1\47ca95f71e3ccae756c4a24354d48069c58f475c\bzip2-0.9.1.jar
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-189 Numeric Errors
Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").
Vulnerable Software & Versions:
Description: CAS core
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.jasig.cas\cas-server-core\3.3.5\c47163c27b1a7617af14182c168d2b5b54cdd66\cas-server-core-3.3.5.jar
MD5: 14e8ad0fdfb00b8213bfdd2c36304e59
SHA1: 0c47163c27b1a7617af14182c168d2b5b54cdd66
Referenced In Projects/Scopes:
Description: Provides a general interface for accessing attributes for a person.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.jasig.service\person-directory-api\1.5.0-RC5\a2f4804d335d3cfe6a4bb3407dcf9fb88d396700\person-directory-api-1.5.0-RC5.jar
MD5: 342160c7a8e7d47a934fc442503f219b
SHA1: a2f4804d335d3cfe6a4bb3407dcf9fb88d396700
Referenced In Projects/Scopes:
Description: Provides implementations of the Person Directory API that have the capability of aggregating attributes from multiple data sources into a single view.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.jasig.service\person-directory-impl\1.5.0-RC5\512831d6195409f9de30bcd06e1a3ce31fc4304f\person-directory-impl-1.5.0-RC5.jar
MD5: 05082275b6865cad22812017040483e2
SHA1: 512831d6195409f9de30bcd06e1a3ce31fc4304f
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.jdom\com.springsource.org.jdom\1.0.0\32e7389479349a9d30cab805d83486b1e865aeaa\com.springsource.org.jdom-1.0.0.jar
MD5: 9741e6528d37b38ac5c953f3d1892aa4
SHA1: 32e7389479349a9d30cab805d83486b1e865aeaa
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.jdom\jdom2\2.0.4\4b65e55cc61b34bc634b25f0359d1242e4c519de\jdom2-2.0.4.jar
MD5: e51c9485a3a38525a7df4bd25a05dec6
SHA1: 4b65e55cc61b34bc634b25f0359d1242e4c519de
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.jdom\jdom\2.0.2\d06c71e0df0ac4b94deb737718580ccce22d92e8\jdom-2.0.2.jar
MD5: f2ce377fffc36a069117c578c14139ba
SHA1: d06c71e0df0ac4b94deb737718580ccce22d92e8
Referenced In Projects/Scopes:
Description:
JSON is a light-weight, language independent, data interchange format.
See http://www.JSON.org/
The files in this package implement JSON encoders/decoders in Java.
It also includes the capability to convert between JSON and XML, HTTP
headers, Cookies, and CDL.
This is a reference implementation. There is a large number of JSON packages
in Java. Perhaps someday the Java community will standardize on one. Until
then, choose carefully.
The license includes this restriction: "The software shall be used for good,
not evil." If your conscience cannot live with that, then choose a different
package.
The package compiles on Java 1.2 thru Java 1.4.
License:
The JSON License: http://json.org/license.htmlFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.json\json\20140107\d1ffca6e2482b002702c6a576166fd685e3370e3\json-20140107.jar
Description: jsoup HTML parser
License:
The MIT License: http://jsoup.org/licenseFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.jsoup\jsoup\1.8.3\65fd012581ded67bc20945d85c32b4598c3a9cf1\jsoup-1.8.3.jar
Description:
Spatial4j is a general purpose spatial / geospatial ASL licensed open-source Java library. It's
core capabilities are 3-fold: to provide common geospatially-aware shapes, to provide distance
calculations and other math, and to read shape formats like WKT and GeoJSON.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.locationtech.spatial4j\spatial4j\0.6\21b15310bddcfd8c72611c180f20cf23279809a3\spatial4j-0.6.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.milyn\flute\1.3\b7d59dc172005598b55699b1a75605b13c14f1fd\flute-1.3.jar
MD5: 2f2e13cd3523c545dd1c4617b373692c
SHA1: b7d59dc172005598b55699b1a75605b13c14f1fd
Referenced In Projects/Scopes:
Description: Noggit is the world's fastest streaming JSON parser for Java.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.noggit\noggit\0.6\fa94a59c44b39ee710f3c9451750119e432326c0\noggit-0.6.jar
Description:
The development community in building GIS solutions is sustaining an enormous level
of effort. The GeoAPI project aims to reduce duplication and increase interoperability
by providing neutral, interface-only APIs derived from OGC/ISO Standards.
License:
https://geoapi.svn.sourceforge.net/svnroot/geoapi/branches/3.0.x/LICENSE.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.opengis\geoapi\3.0.0\a04e0f361627fb33a140b5aa4c019741f905577\geoapi-3.0.0.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.opensaml\opensaml\1.1b\21ec22368b6baa211a29887e162aa4cf9a8f3c60\opensaml-1.1b.jar
MD5: b540669844849b8d8fad3336edf41dca
SHA1: 21ec22368b6baa211a29887e162aa4cf9a8f3c60
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.ow2.asm\asm-commons\5.1\25d8a575034dd9cfcb375a39b5334f0ba9c8474e\asm-commons-5.1.jar
MD5: 38839fb32c40f7f70986e9c282de0018
SHA1: 25d8a575034dd9cfcb375a39b5334f0ba9c8474e
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.ow2.asm\asm\5.1\5ef31c4fe953b1fd00b8a88fa1d6820e8785bb45\asm-5.1.jar
MD5: 3770466405f163d6616b65c32e16a3cd
SHA1: 5ef31c4fe953b1fd00b8a88fa1d6820e8785bb45
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.owasp.antisamy\antisamy\1.4.3\6bac1ebc43ac3db223f592ce904ac4c2f3ef26e5\antisamy-1.4.3.jar
MD5: 9c7777853e159535f4d510b4dc0a88a9
SHA1: 6bac1ebc43ac3db223f592ce904ac4c2f3ef26e5
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
Vulnerable Software & Versions:
Description: The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
License:
BSD: http://www.opensource.org/licenses/bsd-license.php Creative Commons 3.0 BY-SA: http://creativecommons.org/licenses/by-sa/3.0/File Path: Z:\Gradle\caches\modules-2\files-2.1\org.owasp.esapi\esapi\2.1.0\1892f47602b211ec72abc45df93a69c953a7ffba\esapi-2.1.0.jar
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
CWE: CWE-310 Cryptographic Issues
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.
Vulnerable Software & Versions: (show all)
Description: Enterprise Job Scheduler
License:
http://www.apache.org/licenses/LICENSE-2.0.txt Apache Software License, Version 2.0File Path: Z:\Gradle\caches\modules-2\files-2.1\org.quartz-scheduler\quartz\2.2.0\2eb16fce055d5f3c9d65420f6fc4efd3a079a3d8\quartz-2.2.0.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.restlet.jee\org.restlet.ext.servlet\2.3.0\9303e20d0397c0304342943560c3a1693fd7ce7d\org.restlet.ext.servlet-2.3.0.jar
MD5: e81ab1a31fdd07ac02c576086201b2da
SHA1: 9303e20d0397c0304342943560c3a1693fd7ce7d
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.restlet.jee\org.restlet\2.3.0\4c5d184e23fa729726668a90dc7338d80c4e7e6f\org.restlet-2.3.0.jar
MD5: 33a94f74de95421b4938dfecb0029ab1
SHA1: 4c5d184e23fa729726668a90dc7338d80c4e7e6f
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.safehaus.jug\jug\2.0.0\adf11f76e51f057e9d6903dd9a916162620386c9\jug-2.0.0-asl.jar
MD5: fe4231b92c5e4ffdc6ec308a9fd23f6a
SHA1: adf11f76e51f057e9d6903dd9a916162620386c9
Referenced In Projects/Scopes:
Description: JCL 1.1.1 implemented over SLF4J
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.slf4j\jcl-over-slf4j\1.7.7\56003dcd0a31deea6391b9e2ef2f2dc90b205a92\jcl-over-slf4j-1.7.7.jar
MD5: 32ad130f946ef0460af416397b7fc7b7
SHA1: 56003dcd0a31deea6391b9e2ef2f2dc90b205a92
Referenced In Projects/Scopes:
Description: The slf4j API
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.slf4j\slf4j-api\1.7.21\139535a69a4239db087de9bab0bee568bf8e0b70\slf4j-api-1.7.21.jar
MD5: c9be56284a92dcb2576679282eff80bf
SHA1: 139535a69a4239db087de9bab0bee568bf8e0b70
Referenced In Projects/Scopes:
Description: The slf4j API
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.slf4j\slf4j-api\1.7.7\2b8019b6249bb05d81d3a3094e468753e2b21311\slf4j-api-1.7.7.jar
MD5: ca4280bf93d64367723ae5c8d42dd0b9
SHA1: 2b8019b6249bb05d81d3a3094e468753e2b21311
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-beans\2.5.6\449ea46b27426eb846611a90b2fb8b4dcf271191\spring-beans-2.5.6.jar
MD5: 25c0752852205167af8f31a1eb019975
SHA1: 449ea46b27426eb846611a90b2fb8b4dcf271191
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-binding\1.0.6\c2789e5215ed30d4d9e06873097c8bab8ae97109\spring-binding-1.0.6.jar
MD5: a8bca088c4e5ef2a395b5d784c6aa180
SHA1: c2789e5215ed30d4d9e06873097c8bab8ae97109
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-context-support\2.5.6.SEC01\3a88bce8e22a274f116d4fb3dcc936d088fff014\spring-context-support-2.5.6.SEC01.jar
MD5: e3f6c6bd31d9bca3d9c73693ce37f55c
SHA1: 3a88bce8e22a274f116d4fb3dcc936d088fff014
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-context\2.5.6.SEC01\30ab3c56aa2ca6d9e4a194a36ac0679df2fd108\spring-context-2.5.6.SEC01.jar
MD5: fc87e3ecd8faa9306fe3657955e35315
SHA1: 030ab3c56aa2ca6d9e4a194a36ac0679df2fd108
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-core\4.2.3.RELEASE\3ed00dad7a16b2a28df9348294f6a67151f43cf6\spring-core-4.2.3.RELEASE.jar
MD5: d32fdda47ac7d787d10d19c0f1129d6f
SHA1: 3ed00dad7a16b2a28df9348294f6a67151f43cf6
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-jdbc\2.5.6.SEC01\74f28b32f9678dd3093643a268af767ddfcc337d\spring-jdbc-2.5.6.SEC01.jar
MD5: c07e1949e888106ff976e0d8f3d2d594
SHA1: 74f28b32f9678dd3093643a268af767ddfcc337d
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-orm\2.5.6.SEC01\255bd5a5d6d456792bb928e1cced60755f1fe513\spring-orm-2.5.6.SEC01.jar
MD5: cfb974095eb2430ba94a1137a4ee2313
SHA1: 255bd5a5d6d456792bb928e1cced60755f1fe513
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-test\4.2.3.RELEASE\d7c055b8fb1117ef75045679892228a4816cd80e\spring-test-4.2.3.RELEASE.jar
MD5: 4ec65b45ae6c51ba549b04f1d75aac7c
SHA1: d7c055b8fb1117ef75045679892228a4816cd80e
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-tx\2.5.6.SEC01\4af6ff118eb394f804fe3a96f3e3f323a5de5ff6\spring-tx-2.5.6.SEC01.jar
MD5: d3823f3cc0feeb18a6e89a1ff833a08e
SHA1: 4af6ff118eb394f804fe3a96f3e3f323a5de5ff6
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-web\2.5.6.SEC01\6a5711a5a29cf25603892c2bace8bbe3bf062834\spring-web-2.5.6.SEC01.jar
MD5: 042b8195b45e7a61c017e8304b3c6dd1
SHA1: 6a5711a5a29cf25603892c2bace8bbe3bf062834
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-webflow\1.0.6\73a9cef54005fe7c23947f13300eb0e0bf0f265a\spring-webflow-1.0.6.jar
MD5: 29723d7337b93020528ced714cf7a364
SHA1: 73a9cef54005fe7c23947f13300eb0e0bf0f265a
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.springframework\spring-webmvc\2.5.6.SEC01\1a48edcf8dcfc76882c821931eb0529db9af5d9b\spring-webmvc-2.5.6.SEC01.jar
MD5: 843c40ce4f66dc53e6fa635aff914933
SHA1: 1a48edcf8dcfc76882c821931eb0529db9af5d9b
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-352
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Vulnerable Software & Versions: (show all)
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.
Vulnerable Software & Versions: (show all)
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-16 Configuration
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.tukaani\xz\1.5\9c64274b7dbb65288237216e3fae7877fd3f2bee\xz-1.5.jar
MD5: 51050e595b308c4aec8ac314f66e18bc
SHA1: 9c64274b7dbb65288237216e3fae7877fd3f2bee
Referenced In Projects/Scopes:
Severity:
Medium
CVSS Score: 4.6
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
Vulnerable Software & Versions:
Description: Jackson Databind module for serializing and deserializing Java 8 java.util.Option objects.
This tool is forked from original source created by @realjenius
License:
Apache License, Version 2.0: license.txtFile Path: Z:\Gradle\caches\modules-2\files-2.1\org.zapodot\jackson-databind-java-optional\2.4.2\588266ff57165736149bc38e07f2875a4fe5969c\jackson-databind-java-optional-2.4.2.jar
File Path: Z:\Gradle\caches\modules-2\files-2.1\oro\oro\2.0.8\5592374f834645c4ae250f4c9fbb314c9369d698\oro-2.0.8.jar
MD5: 42e940d5d2d822f4dc04c65053e630ab
SHA1: 5592374f834645c4ae250f4c9fbb314c9369d698
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\regexp\regexp\1.3\973df2b78b67bcd3144c3dbbb88da691065a3f8d\regexp-1.3.jar
MD5: 6dcdc325850e40b843cac2a25fb2121e
SHA1: 973df2b78b67bcd3144c3dbbb88da691065a3f8d
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\stax\stax-api\1.0.1\49c100caf72d658aca8e58bd74a4ba90fa2b0d70\stax-api-1.0.1.jar
MD5: 7d436a53c64490bee564c576babb36b4
SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\wsdl4j\wsdl4j\1.6.2\dec1669fb6801b7328e01ad72fc9e10b69ea06c1\wsdl4j-1.6.2.jar
MD5: 2608a8ea3f07b0c08de8a7d3d0d3fc09
SHA1: dec1669fb6801b7328e01ad72fc9e10b69ea06c1
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\xalan\xalan\2.7.0\a33c0097f1c70b20fa7ded220ea317eb3500515e\xalan-2.7.0.jar
MD5: a018d032c21a873225e702b36b171a10
SHA1: a33c0097f1c70b20fa7ded220ea317eb3500515e
Referenced In Projects/Scopes:
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Vulnerable Software & Versions: (show all)
File Path: Z:\Gradle\caches\modules-2\files-2.1\xerces\xercesImpl\2.8.1\25101e37ec0c907db6f0612cbf106ee519c1aef1\xercesImpl-2.8.1.jar
MD5: e86f321c8191b37bd720ff5679f57288
SHA1: 25101e37ec0c907db6f0612cbf106ee519c1aef1
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\xml-apis\xml-apis-ext\1.3.04\41a8b86b358e87f3f13cf46069721719105aff66\xml-apis-ext-1.3.04.jar
MD5: bcb07d3b8d2397db7a3013b6465d347b
SHA1: 41a8b86b358e87f3f13cf46069721719105aff66
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\xml-apis\xml-apis\2.0.2\3136ca936f64c9d68529f048c2618bd356bf85c9\xml-apis-2.0.2.jar
MD5: 458715c0f7646a56b1c6ad3138098beb
SHA1: 3136ca936f64c9d68529f048c2618bd356bf85c9
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\xmlpull\xmlpull\1.1.3.1\2b8e230d2ab644e4ecaa94db7cdedbc40c805dfa\xmlpull-1.1.3.1.jar
MD5: cc57dacc720eca721a50e78934b822d2
SHA1: 2b8e230d2ab644e4ecaa94db7cdedbc40c805dfa
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\xom\xom\1.2.5\4166493b9f04e91b858ba4150b28b4d197f8f8ea\xom-1.2.5.jar
MD5: 91b16b5b53ae0804671a57dbf7623fad
SHA1: 4166493b9f04e91b858ba4150b28b4d197f8f8ea
Referenced In Projects/Scopes:
File Path: Z:\Gradle\caches\modules-2\files-2.1\xpp3\xpp3_min\1.1.4c\19d4e90b43059058f6e056f794f0ea4030d60b86\xpp3_min-1.1.4c.jar
MD5: dcd95bcb84b09897b2b66d4684c040da
SHA1: 19d4e90b43059058f6e056f794f0ea4030d60b86
Referenced In Projects/Scopes:
Description: Core Jackson abstractions, basic JSON streaming API implementation
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.htrace\htrace-core\3.2.0-incubating\8797cf3230f01e8724ef27a0ed565dabb6998c64\htrace-core-3.2.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-core/pom.xml
MD5: b5ed6cb7f987a4da86141638b1538d81
SHA1: ed8235ea6d84480833675e709b415bde24ce25f7
Description: General data-binding functionality for Jackson: works on core streaming API
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.htrace\htrace-core\3.2.0-incubating\8797cf3230f01e8724ef27a0ed565dabb6998c64\htrace-core-3.2.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml
MD5: d3f7afe903419aa0c03f9cf8682e1a69
SHA1: 3c0d06b6c0a9f4135fcf5c5557c751c0cd066c0c
Description: Core annotations used for value types, used by Jackson data binding package.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.htrace\htrace-core\3.2.0-incubating\8797cf3230f01e8724ef27a0ed565dabb6998c64\htrace-core-3.2.0-incubating.jar\META-INF/maven/com.fasterxml.jackson.core/jackson-annotations/pom.xml
MD5: 556310b593b9688b85686409e0bd5377
SHA1: 2b75fa41636e5d02edc961ee9c68e6f041dc85a9
Description: Commons Logging is a thin adapter allowing configurable bridging to other,
well known logging systems.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.htrace\htrace-core\3.2.0-incubating\8797cf3230f01e8724ef27a0ed565dabb6998c64\htrace-core-3.2.0-incubating.jar\META-INF/maven/commons-logging/commons-logging/pom.xml
MD5: 976d812430b8246deeaf2ea54610f263
SHA1: 76672afb562b9e903674ad3a544cdf2092f1faa3
Description: Contains aspects and implementation classes shared by LLOM and DOOM.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-impl\1.2.17\6df316d52cfd9efc4ee155b4dff0125769af1580\axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/om-aspects/pom.xml
MD5: be5411f23abad2369eb94ad64622bb54
SHA1: 2e08c15bd701460f07711311fad5785ecf7ad861
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-impl\1.2.17\6df316d52cfd9efc4ee155b4dff0125769af1580\axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/core-aspects/pom.xml
MD5: 578ca70e0a265fd5b1515eea14e67efb
SHA1: 42e8d4b4f2f941ab0b50240e6b096a1151221003
Description:
Contains mixins for methods that are shared between DOM and Axiom.
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-impl\1.2.17\6df316d52cfd9efc4ee155b4dff0125769af1580\axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/shared-aspects/pom.xml
MD5: ea8a4489f8026ca7b879fae7de636afd
SHA1: bbe62a1404feb5cc8f9a7babbd7a12d50479144b
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.apache.ws.commons.axiom\axiom-impl\1.2.17\6df316d52cfd9efc4ee155b4dff0125769af1580\axiom-impl-1.2.17.jar\META-INF/maven/org.apache.ws.commons.axiom/xml-utils/pom.xml
MD5: 76d0bf22e109300e6a67875c5781f659
SHA1: dac902cf3a5280076d8a92fc9a421fe15e23a1e6
File Path: Z:\Gradle\caches\modules-2\files-2.1\org.codehaus.plexus\plexus-utils\1.5.6\8fb6b798a4036048b3005e058553bf21a87802ed\plexus-utils-1.5.6.jar\META-INF/maven/org.codehaus.plexus/plexus-interpolation/pom.xml
MD5: 61795135733295c9aa438fda7b923db8
SHA1: 1074eabfbcbfb0decfe6f9ed0541668e114b9311